The tall ride at the funfair has a sign that reads, "You must be this height to ride." It's there for a reason: safety.
The same principle applies to cyber security. Organisations often purchase expensive security tools without having the resources, knowledge, or maturity to use them properly. In our team’s experience, this challenge affects companies of all sizes across industries.
We recently interviewed Steve Gillham, Infrastructure Security Manager at TSB Bank, who's currently implementing micro-segmentation and zero-trust networking. With over 40 years in IT and 20 years focused on security, he offers a valuable perspective on how organisations approach their security toolkit.
The CISO cycle
A pattern that we see in many organisations is what can be called the "CISO cycle."
A new CISO arrives, eager to make their mark. They purchase a range of tools — vulnerability management, cloud security, threat intelligence, identity access management — each with its own console and specialised knowledge requirements.
The challenge is that the average CISO tenure is only 18-26 months. By the time they leave, these tools have barely been properly deployed. Then, a new CISO comes in, and instead of continuing with the existing plan, they scrap everything to implement their preferred tools.
Steve believes that "a CISO should implement a plan that subsequent CISOs build upon, rather than completely replacing."
What exacerbates this issue is that these tools often come without proper staffing or training. Companies will spend hundreds of thousands of pounds on licences but expect security professionals trained in one discipline to suddenly become experts in others.
Steve compares this to "expecting a Cessna pilot to fly a 747 without proper training." No aviation authority would allow this, yet in security, professionals are expected to context-switch between completely different specialities — from identity and access management to vulnerability management to cloud security — without adequate training.
This approach leads to organisations using only a fraction of their expensive tools' capabilities, creating what the industry calls "shelfware."
The basics are being overlooked
Meanwhile, the fundamentals of good security, like asset management, are being neglected. "In most companies, there's a lack of server visibility. No one knows their location, purpose, or data flow, making risk assessment difficult," Steve explains.
The lack of basic asset knowledge leads to serious security issues. Steve recalled finding 200 servers with vulnerabilities that hadn't been patched for a year. When he raised this, he was told they were decommissioned — yet they were still running and had been for two years!
The TalkTalk breach exemplifies this problem. They were exploited via SQL injection on a server they didn't even know they had on the internet, a leftover from mergers and acquisitions that was missing from their Configuration Management Database (CMDB).
This points to another issue: security teams are chasing vulnerabilities rather than improving security. With hundreds of thousands of vulnerabilities to fix, businesses often say, "Fix all critical vulnerabilities in seven days." But this is impossible, Steve explains, so they pivot to "only fix the risky ones", which they can't identify because their asset database isn't up to date.
Steve advocates for a proactive approach:
"If you've got a computer, you need to patch it every month. It's as simple as that. Just patch it, automate that patching, and get rid of the vulnerabilities. Then you don't build up this big backlog of tech debt."
Taking responsibility and effective communication
Another important idea is to hold business owners accountable for security decisions.
Steve implemented a process where business owners, not security teams, had to sign waivers for unpatched systems. When forced to put their name on the line, they suddenly found a budget for fixes.
"If we did get breached because of that, and they say, 'Well, why didn't IT patch it?' Well, that's because the owner of that service didn't have the money or the budget to do it," Steve explained.
What's working well in tackling these challenges? For Steve, it's about communication.
He creates presentations showing how security controls work and why they're being implemented. When business owners understand the rationale, they're more supportive: "I find that animated representations of system workflows are effective in demonstrating the rationale behind security protocols, which non-technical stakeholders frequently misunderstand."
Transparency transforms relationships. When business owners understand the purpose behind security measures, they become allies rather than obstacles. They're more likely to support initiatives, provide necessary resources, and take ownership of their security responsibilities.
The interview with Steve reinforces a core principle at Chaleit: security isn't just an IT problem but a business challenge requiring shared responsibility across the organisation. The siloed approach of leaving security to "the security people" simply doesn't work.
Based on these insights, organisations should:
Match tool purchases with proper staffing and training.
Focus on the basics first — know your assets before buying fancy tools.
Automate patching wherever possible.
Hold business owners accountable for security decisions.
Communicate the "why" behind security controls.
Create continuity in security strategy beyond individual CISO tenures.
How is your organisation balancing security tools with the skills needed to use them effectively? Are your basics covered before investing in advanced solutions?
We'd love to discuss. Reach out to our team of cyber security experts directly.
