Cyber Security Predictions for 2024

John Madelin
Subscribe Contact us
John Madelin

“Cybercrime is the number one problem for mankind, and Cyberattacks are a bigger threat to humanity than nuclear weapons” - Warren Buffet

 

As we enter 2024, there are signs that the Cyber Security industry is teetering on the brink of a major transformation, culminating in a more coherent and business-involved approach which will ensure a better understanding and management of cyber risks.


Setting aside other associated factors for now, this metamorphosis is being fuelled by the astronomical rise in cybercrime that has been observable across the previous 3-5 years, turning it into a multi-trillion-dollar industry. The business leaders who missed this sudden rise in temperature, suddenly find themselves in boiling water.


These anticipated and imminent changes, accelerated by the lucrative and seemingly untouchable nature of cybercrime, will inevitably necessitate a more fundamental redefinition of cybersecurity strategies. The Dark Web’s explosion of sophisticated crime and the pivot from traditional crime streams, such as the illegal drug industry, to the high profit margins and low-risk profile of cybercrime is just too irresistible to a growing demographic. Between the intoxicating mix of easy money and apparent immunity, the appeal of cybercrime is reaching not only existing criminals, but new breeds.


This new era and new generation will force us to re-characterise what we mean by Cyber Security, as business leaders are set to thaw the icy divide between CISOs and the CIOs with whom they tend to work. This will push the industry into constructing a more deeply integrated and pervasive defence strategy overall.


However, this shift is not just about adopting new technologies; on the contrary, it amounts to a cultural revolution, and the associated liability, regulatory, maturity, quantification, integration, communication, and behavioural shifts in emphasis that are pulled into its current will be further catalysed by the growing ranks of ingenious cyber criminals and hackers at the gate, equipped to breach your defences with persistent creativity.


By now you may be thinking ‘wasn’t this a predictions article’? Yes, and so far I have tried to emphasise why the critical tactical actions that we begin today must be held to, not merely as piecemeal reactions to the cyber environment I have thus far outlined, but all the way to future proof. These tactical building-block priorities must become the planned foundations to support long-term resilience, we otherwise risk seeing the criminals melt into the dark web with our money and private data.


There’s a likelihood that absent vital improvements in our cyber defences, left by those still using old-school, gear-heavy, and fragmented defences, led by the autonomous and uncommunicative CISOs, those who fail to adapt will find themselves outmanoeuvred by the increasingly resourceful cybercriminals.


However, for those organisations in 2024 who recognise the gravity of the current climate and ingenuity of recent cybersecurity threats—and commit to more fundamental practices built into more IT and business integrated frameworks (which might also suggest a new breed of CISO)—the transition into 2025 is likely to be marked by a significant decrease in anxiety, and far more restful nights.


Traditional Technology Predictions for 2024


In this first section, we look at the more traditional, in-brief predictions for the gearheads, specifically falling within my Top 6 most pressing technology themes that will colour 2024:

 

Multi-Factor Authentication

 

Given how prevalent credentials are in attacks, we used to follow the rule of ‘Anything web-facing needs Multi-Factor Authentication (MFA)’. Now, in 2024, thanks to the cloud breaking into our legacy estate, our complete clarity on what exactly is being published to the web has become obscured. In 2024, the mantra must be changed to ‘everything needs MFA’, but this still has a long way to go.


Privileged Access Management

 

Since Privileged credentials are the holy grail for cybercriminals, these chinks in the armour need resolving urgently. This is exacerbated by the way in which responsibility for this resolution is spread across business units; tactical challenges can be resolved, but only if an appropriate leader, at an appropriate level, applies some pressure and urgency.


Systems are out-of-date, there are too many passwords, many of these are mismanaged, privileges themselves are too excessive, etc. In modern systems, the arrival of cloud multiplies these complexities, as does the expansion of responsibilities to third parties.


These systemic failings need to be addressed in 2024, and imminently. The way forward is a cross-functional emergency exercise, with a target to adopt and maintain serious discipline by this time next year.

 

Monitoring

 

You read that correctly—unbelievably, monitoring is much further behind than it needs to be as we move further into 2024, a fact that has somehow gone largely unnoticed.


This may be the reason why the cyber insurance industry weathered rough seas in 2020, and why we are now overwhelmed with high volumes of indiscriminate alerts.


We must improve basic log aggregation, normalisation, and correlations, through better IT integration. This reporting should be developed to enhance action, with a, perhaps uncomfortable, focus on more meaningful ‘one-ten-sixty’-style reporting.


With today’s current threat landscape, if the insurance losses are anything to go by, if your monitoring is not polished in 2024 then you can forget cyber insurance, as you can expect to suffer losses in 2024. 

 

Zero Trust

 

As a frequently misused and misunderstood phrase, it is important to establish a clear and consistent definition of what we mean by ‘Zero Trust’, first coined by Forrester’s John Kindervag many moons ago. The need for clarity is equally important to business leaders; they will expect quick intelligibility and relevance, or they will lose interest fast—and, for the first time in 2024, we need them seriously on board.


As you probably know, Kindervag’s core theme was to shift from the network’s ‘trust but verify’ model to ‘never trust but always verify’. This more cloud-ready mindset forces more emphasis on users, data, and devices across better segmented and more continuously monitored networks, also enhancing third-party risk management scenarios. Incremental steps in this direction, which reflect the need for more fundamental practices within more IT-integrated frameworks, can pay quick dividends in 2024.

 

AI Threats

 

I was reluctant to include this one, as I don’t believe that the use of AI either offensively or defensively will have a truly transformative effect on cyber defences in 2024/2025. I must, however, acknowledge that cybercriminals, who are after a quick win and are inherently street-smart, will use it to operate smarter and faster. At the very least, this will hopefully force companies to take care of their basics more effectively.


That being said, keeping an eye on AI is an increasingly critical aspect of security that is often overlooked, specifically the need to conduct regular, repeatable security testing of the AI technologies themselves. As the integration and use of AI tools becomes more pervasive, a new category is poised to become a bigger emphasis in 2024, one which continuously monitors AI systems for any unusual activities or anomalies, including tracking system performance and outputs.

 

IoT and OT (Complexity and Criticality)

 

Arguably, IoT is just more IP end points, which the networkers amongst you will be unphased by. I am using OT as shorthand (as many non-IT aware business leaders do) for ‘critical supply chain systems’. This amplification of the criticality of IoT as they continue to undertake more supply-chain functions suggests that we will need to distinguish which of them support critical business processes. In 2024, getting our arms around a near real-time and complex CMDB (the basic inventory of our IT estate), including this explosion of more integrated, more intelligent, and more mission-critical IP end points becomes of pressing concern. 


Conclusion


Some might argue that these predictions are a little basic, and you will have noted that I collected cloud and third party under ‘Zero Trust’, when arguably there is so much more to be said for both. However, I unapologetically remain of the opinion that, if we continue to build our infrastructure on sand, then we shouldn’t be surprised when it sinks.


A key theme in 2024, as we consider my predictions in the next section, is that we must first attack these ‘basic’ technical security categories in more meaningful ways before leaping into shinier, strategic topics that will remain moot if unsupported by solid foundations. 


What is Really Driving Change in 2024


The Business Sophistication of the Cyber-Criminal Fraternity


Cybercrime as a Service (CaaS) is an industry by which threat actors on the Dark Web sell their tools, expertise, and services to others, often in franchise or affiliate models.


Since the primary goal for such criminals is to make more money with less effort and less direct involvement, this exploding trend is a worrying, yet increasingly material, part of the criminal Dark Web. It is estimated that at least two thirds of ransomware, one of the largest categories of cybercrime, is conducted through a CaaS model (according to Cyber Resilience Insights).


There is a frightening level of organisation and sophistication with the roles, expertise, and infrastructure of these CaaS models that is making it easier for new entrants to subscribe to criminal franchises without the need for any technical or operational knowledge. Full-service CaaS operators will offer not only customer service to affiliates during ransomware campaigns, but they may also handle ransomware payments and decryption key access, for example.


The organisational sophistication of these franchisors is breathtaking, let alone their pricing and marketing capabilities. Operators such as Lockbit 2.0 offers guarantees on the speed of infection, not to mention service guarantees in recovery for those who pay the ransom.


In 2024 and beyond, his will continue to enable access to a wider demographic of new criminal profiteers in more resilient and integrated models that continue to evolve and improve with time and volume. More criminals will continue to exit lower profit and higher risk activities, such as people-trafficking and drugs, and move into cybercrime. 


Key 2024 Takeaway: This re-enforces the need to re-visit the basics; cyber activities will continue to be a volume game for the perpetrators. 

 

Visibility of Cybercrime to Non-Experts

 

Crime will become more visible, at last.


At the higher end of the size estimates for cybercrime are $10.5 trillion by 2027. Allowing for a certain amount of scepticism, even if we halve those numbers, the US Government estimates that IP theft alone now amounts to around $600 billion a year, suggesting that ‘trillions’ is now the sizing language for cybercrime.


It should be noted that this number is widely distributed across a wide variety of criminal activity. The criminal fraternity are not greedy, given that too much visibility raises risk levels from complete impunity to unnecessary minimum risk. Whilst, globally, 72.7% of all organisations fell prey to a ransomware attack in 2023 (Statista), too much of this goes unreported. Because it represents a huge volume of mid-level cash impact, it has been too fragmented for any single action to deliver any more attention-grabbing deathblows, but is instead amounting to a less visually compulsive ‘death by a thousand cuts’.


Attacks are becoming so widespread and persistent, as well as collectively reaching material levels from a wider demographic of criminals, and taking numerous variegated forms of profiteering (such as data theft, phishing, malware, ransomware, DDos), that the growth in visibility to the Boardroom will accelerate in 2024.


Key 2024 Takeaway: In the past, research has suggested that CISOs have gotten away with accepting ‘smile and wave’ feedback from the board. While that may have worked previously, this will now force security and IT leaders to be held more accountable in real terms in 2024, and we will see much sharper qualification and expectations from the Board in the coming year as a result.


Furthermore, this opportunity will not be lost on the more mature CISOs. They will use these almost absurdly unrealistic yet engaging and increasingly visible happenings to fuel strong anecdotal storytelling with board members, in order to catch and retain their attention.

 

Authorities will Continue to Turn Up the Heat on CISOs and Business Leaders

 

A recent set of straw polls from front-line incident response experts in 2023 suggested that between 70-90% of incidents are not disclosed and, in another significant proportion, ransoms are paid.


However, during July 2023, the Securities and Exchange Commission (SEC) in the US adopted rules requiring registrants to disclose any material cybersecurity incidents that they experience, and to disclose on an annual basis any information regarding their cybersecurity risk management, strategy, and governance.


For those breathing a sigh of relief that they do not work or reside within the US, the Commission has also adopted rules that effectively incorporate certain categories of foreign entity that pass a business contact or ownership test. These steps are expected to be adopted in Europe, and some of them have already been incorporated within the EU Cyber Resilience Act (CRA).


These new rules will require registrants to disclose any cybersecurity incident they determine to be significant enough on a formal reporting form, and to describe the aspects of the incident’s nature, scope, and timing, as well as its impact – or potential impact – on the registrant.


These changes will thus force a much closer relationship to develop with lawyers in 2024, who must be prepared for virtually real-time disclosure responsibilities and their impacts on personal and professional liabilities and fines. 


Key 2024 Takeaway: Disclosure warrants a significant amount of workload involving lawyers, regulators, clients, media, executive, and the board, not to mention all the paperwork around the crime scene and a host of behaviours affected by subject-to-privilege constraints.


With all of this in mind, it is even more important to run those tabletop exercises in 2024, and ensure that you have all of the internal help and flexible bench strength from a host of experts ready at hand.

 

Around 50% of CISOs will leave in 2024

 

Another recent survey has suggested that 94% of CISOs are affected by stress, and that, for 64%, these, stress levels are compromising their ability to do their job. The relentless barrage of incidents which consistently affect nights, weekends, and vacations, combined with the aggression with which such incidents are met from impatient work colleagues and business partners is traumatic enough, but it is increasingly becoming the norm for CISOs to be held personally liable.


Recent actions from the US Government display a growing practice of holding executives accountable for cybersecurity breaches. Notably, the US District Court in San Francisco brought criminal charges against Joe Sullivan, Uber’s former CISO, for his alleged role in covering up a 2016 data breach. Professional observers say that he narrowly avoided going to prison because he was the first, and thus the rest of us should see this as a warning; however, it should be noted here that his $50,000 fine, significant costs of defending himself, and three years of probation are not going to help CISO stress levels.


This is compounded by the latest news from SolarWinds suggesting that executives there are likely to be held personally liable for their cyber security threats. Admittedly, as of now, there hasn’t been a specific legislation or regulation that would lead to the staff at SolarWinds being personally liable, but the legal and regulatory landscape is evolving, with discussions surrounding the accountability for cybersecurity incidents at the corporate leadership level expected to accelerate. In short, it can be deduced that around 50% of CISOs are expected to change career paths by 2025.


More imminently, in 2024, all of this will result in the lawyers and leaders representing major organisations paying much more attention to cyber and their D&O insurance. This shift will force closer attention and alignment with broader efforts to strengthen cyber defence mechanisms and ensure responsible management of cybersecurity risks within organisations, where failures in attention to detail could still result in jail time and other uncovered and personal liabilities. 


Key 2024 Takeaway: This concerns those in business leadership specifically. If your CISO is a true front-line CISO, they will be suffering, and if you have not already done so, then now is the time to reach out and offer support. Accountability needs to be shared, or you’re going to lose your CISO and find them hard to replace. The days of autonomous and isolated CISOs being ‘left to do the expert cyber stuff’ are over.

 

Budgets and Quantifying Risk and Return in Cyber Security

 

In a recent board and CISO report, supported by thorough survey work and conducted by the analyst firm, Cyentia, the topics and concerns mentioned by board members that were cited as the most critical and pressing fell at the bottom of the priority list for CISOs.


I was closely involved in the first of the series, and personally spoke to dozens of CISOs, all of whom assured me of their close relationship and good communication with the board. The 75 board members surveyed universally disagreed—one quote in particular spoke volumes: ‘Security has a seat at the table, but has nothing to say. We’re listening, but security mumbles.’


The board-side lack of appetite to resolve these differences was amplified by the fact that, at the time (2017-2018), cybercrime did not have the visibility that it has today, in which it is near-impossible to ignore, and, in their words, ‘there’s no chance of fines or personal liability for me’.


Looking at the spending side, there has been almost unconstrained growth in Cyber Budgets in the period 2010 to 2020, expanding across a wide range from 6% - 14% of the company’s annual IT budget, and averaging at 10%. This has grown during a period in which, while experts could recognise the growth in cybercrime activity, business leaders felt no need to get involved.


Arguably, budgets were parcelled out to CISOs largely to keep the problem at arm’s length, during a time at which, according to my own survey expertise, leaders were paying lip-service to cyber defence and regulation.


Meanwhile, the evolving and escalating nature of cyber threats has hit the radars of most business leaders. In 2020, the FBI declared a record level of activity, unbeknownst at the time that this remarkable increase would continue to accelerate.


As cybercrime has exploded in size and diversity since 2020, budgets have been reducing. This is a strange coincidence, with one theory being that IT leaders and CISOs have suddenly found themselves being asked to hold themselves accountable for a spend that, over the last 15 years, has been tech-vendor-led, uncontrolled, and indiscriminate. This has led to the pause-button being hit in order to better understand what we have, before choosing to add any further investment.


‘Indiscriminate’ may seem like a provocative turn of phrase here, but it covers the reduced accountability for clear outcomes than are associated with other spending categories of a similar size. In the apocryphal words of some CISOs, the more you spend, the more ‘nothing’ (referring to peace of mind) that you get. This is not usually a good enough business case for a CFO.


Key 2024 Takeaway: The security community has tried and failed to engage the Board with any impact. The security community has struggled to meaningfully capture the Board's attention. However, there's a promising shift towards a new archetype of business savvy CISOs who embrace the 'listen more, speak less' approach, skilfully blending rigorous discipline with the nuanced 'narrate with data' soft skills required. Despite these advancements, bridging the gap between cybersecurity and executive engagement remains a significant hurdle, and there is still a long way to go.


In 2024, CISOs must identify with the business, build security awareness, be credible and candid, and provide ‘pointed evidence’. KPIs for the board should be based on underlying core business initiatives supported by security products and processes in a ‘by design’ approach that places security as an unobtrusive yet solid foundation to business offerings and the platforms upon which they sit.


Conclusion


While I anticipate the eye-rolls toward the Warren Buffet quote with which I opened this article, I hope we can all agree that he is not known for his hyperbole. Rather, he is known for due diligence across a wide cross-section of businesses. I am assuming he will have seen first-hand the Board members squirming as the temperature rises.


2024 will be the year to finally consolidate, integrate, simplify, and operationalise shoulder-to-shoulder with business and IT leaders, who will at last take an active interest in cyber security, and expect CISOs to operate like business leaders, together.


The interest and active engagement of the board will be amplified by the extraordinary scale and frightening growth, not to mention evolution, of cybercrime.


Attention will also be sharpened by the promise of serious personal and professional liability, with material amounts of money, and a stronger likelihood of being affected, coming into view for even the most sceptical of naysayers.


It is still going to be about getting the basics right in 2024, as the profound changes outlined in this article necessitate a more fundamental redefinition of cybersecurity strategies at a cultural level, involving a wider demographic of more actively interested leaders and lawyers determined to support the more coherent and integrated execution of threat defence strategy.


At Cambridge Management Consulting, we are equipped with a Cyber Security practice, led by John Madelin, which can accelerate, optimise, and strengthen your cyber-infrastructure, and support you in staying ahead of these trends and developments.

About Cambridge Management Consulting


Cambridge Management Consulting (Cambridge MC) is an international consulting firm that helps companies of all sizes have a better impact on the world. Founded in Cambridge, UK, initially to help the start-up community, Cambridge MC has grown to over 150 consultants working on projects in 20 countries.


Our capabilities focus on supporting the private and public sector with their people, process and digital technology challenges.


For more information visit www.cambridgemc.com or get in touch below.

Contact - Africa

Subscribe to our Newsletter

Blog Subscribe

SHARE CONTENT

Abstract kaleidoscope of AI generated shapes

What Is the Third Way to Successful AI Adoption?

by Tom Burton 10 September 2025
This article explores the ‘Third Way’ to AI adoption – a balanced approach that enables innovation, defines success clearly, and scales AI responsibly for lasting impact | READ FULL ARTICLE
A Data centre in a field

Case Study: Expanding Deep Green's Market Presence Through Cambridge MC's Global Network

by Stuart Curzon 22 August 2025
Discover how Deep Green, a pioneer in decarbonised data centres, partnered with Cambridge Management Consulting to expand its market presence through an innovative, sustainability‑driven go‑to‑market strategy | READ CASE STUDY
Crystal ball on a neon floor

Fixing the Future: How Digital Twins Will Transform Project Management

by Jason Jennings 21 August 2025
Discover how digital twins are revolutionising project management. This article explores how virtual replicas of physical systems are helping businesses to simulate outcomes, de-risk investments and enhance decision-making.
A vivid photo of the skyline of Stanley on the Falkland Islands

Cambridge Management Consulting, Falklands IT, and Hermes/Viraat Heritage Trust Provide Educational Resources to the Falklands

by Cambridge Management Consulting 20 August 2025
Cambridge Management Consulting (Cambridge MC) and Falklands IT (FIT) have donatede £3,000 to the Hermes/Viraat Heritage Trust to support the learning and development of young children in the Falkland Islands.
A modern office building on a wireframe floor with lava raining from the sky in the background

What Drives Your Organisation’s Cyber Security?

by Tom Burton 29 July 2025
What’s your organisation’s type when it comes to cyber security? Is everything justified by the business risks, or are you hoping for the best? Over the decades, I have found that no two businesses or organisations have taken the same approach to cybersecurity. This is neither a criticism nor a surprise. No two businesses are the same, so why would their approach to digital risk be? However, I have found that there are some trends or clusters. In this article, I’ve distilled those observations, my understanding of the forces that drive each approach, and some indicators that may help you recognise it. I have also suggested potential advantages and disadvantages. Ad Hoc Let’s start with the ad hoc approach, where the organisation does what it thinks needs to be done, but without any clear rationale to determine “How much is enough?” The Bucket of Sand Approach At the extreme end of the spectrum is the 'Bucket of Sand' option which is characterised by the belief that 'It will never happen to us'. Your organisation may feel that it is too small to be worth attacking or has nothing of any real value. However, if an organisation has nothing of value, one wonders what purpose it serves. At the very least, it is likely to have money. But it is rare now that an organisation will not hold data and information worth stealing. Whether this data is its own or belongs to a third party, it will be a target. I’ve also come across businesses that hold a rather more fatalistic perspective. Most of us are aware of the regular reports of nation-state attacks that are attempting to steal intellectual property, causing economic damage, or just simply stealing money. Recognising that you might face the full force of a cyber-capable foreign state is undoubtedly daunting and may encourage the view that 'We’re all doomed regardless'. If a cyber-capable nation-state is determined to have a go at you, the odds are not great, and countering it will require eye-watering investments in protection, detection and response. But the fact is that they are rare events, even if they receive disproportionate amounts of media coverage. The majority of threats that most organisations face are not national state actors. They are petty criminals, organised criminal bodies, opportunistic amateur hackers or other lower-level actors. And they will follow the path of least resistance. So, while you can’t eliminate the risk, you can reduce it by applying good security and making yourself a more challenging target than the competition. Following Best Practice Thankfully, these 'Bucket of Sand' adopters are less common than ten or fifteen years ago. Most in the Ad Hoc zone will do some things but without clear logic or rationale to justify why they are doing X rather than Y. They may follow the latest industry trends and implement a new shiny technology (because doing the business change bit is hard and unpopular). This type of organisation will frequently operate security on a feast or famine basis, deferring investments to next year when there is something more interesting to prioritise, because without business strategy guiding security it will be hard to justify. And 'next year' frequently remains next year on an ongoing basis. At the more advanced end of the Ad Hoc zone, you will find those organisations that choose a framework and aim to achieve a specific benchmark of Security Maturity. This approach ensures that capabilities are balanced and encourages progressive improvement. However, 'How much is enough?' remains unanswered; hence, the security budget will frequently struggle for airtime when budgets are challenged. It may also encourage a one-size-fits-all approach rather than prioritising the assets at greatest risk, which would cause the most significant damage if compromised. Regulatory-Led The Regulatory-Led organisation is the one I’ve come across most frequently. A market regulator, such as the FCA in the UK, may set regulations. Or the regulator may be market agnostic but have responsibility for a particular type of data, such as the Information Commissioner’s Office’s interest in personal data privacy. If regulatory compliance questions dominate most senior conversations about cyber security, the organisation is probably in this zone. Frequently, this issue of compliance is not a trivial challenge. Most regulations don’t tend to be detailed recipes to follow. Instead, they outline the broad expectations or the principles to be applied. There will frequently be a tapestry of regulations that need to be met rather than a single target to aim for. Businesses operating in multiple countries will likely have different regulations across those regions. Even within one country, there may be market-specific and data-specific regulations that both need to be applied. This tapestry is growing year after year as jurisdictions apply additional regulations to better protect their citizens and economies in the face of proliferating and intensifying threats. In the last year alone, EU countries have had to implement both the Digital Operational Resilience Act (DORA) and Network and Infrastructure Security Directive (NIS2) , which regulate financial services businesses and critical infrastructure providers respectively. Superficially, it appears sensible and straightforward, but in execution the complexities and limitations become clear. Some of the nuances include: Not Everything Is Regulated The absence of regulation doesn’t mean there is no risk. It just means that the powers that be are not overly concerned. Your business will still be exposed to risk, but the regulators or government may be untroubled by it. Regulations Move Slowly Cyber threats are constantly changing and evolving. As organisations improve their defences, the opposition changes their tactics and tools to ensure their attacks can continue to be effective. In response, organisations need to adjust and enhance their defences to stay ahead. Regulations do not respond at this pace. So, relying on regulatory compliance risks preparing to 'Fight the last war'. The Tapestry Becomes Increasingly Unwieldy It may initially appear simple. You review the limited regulations for a single region, take your direction, and apply controls that will make you compliant. Then, you expand into a new region. And later, one of your existing jurisdictions introduces an additional set of regulations that apply to you. Before you know it, you must first normalise and consolidate the requirements from a litany of different sets of rules, each with its own structure, before you can update your security/compliance strategy. Most Regulations Talk about Appropriateness As mentioned before, regulations rarely provide a recipe to follow. They talk about applying appropriate controls in a particular context. The business still needs to decide what is appropriate. And if there is a breach or a pre-emptive audit, the business will need to justify that decision. The most rational justification will be based on an asset’s sensitivity and the threats it is exposed to — ergo, a risk-based rather than a compliance-based argument. Opportunity-Led Many businesses don’t exist in heavily regulated industries but may wish to trade in markets or with customers with certain expectations about their suppliers’ security and resilience. These present barriers to entry, but if overcome, they also offer obstacles to competition. The expectations may be well defined for a specific customer, such as DEF STAN 05-138 , which details the standards that the UK Ministry of Defence expects its suppliers to meet according to a project’s risk profile. Sometimes, an entire market will set the entry rules. The UK Government has set Cyber Essentials as the minimum standard to be eligible to compete for government contracts. The US has published NIST 800-171 to detail what government suppliers must meet to process Controlled Unclassified Information (CUI). Businesses should conduct due diligence on their suppliers, particularly when they provide technology, interface with their systems or process their data. Regulations, such as NIS2, are increasingly demanding this level of Third Party Risk Management because of the number of breaches and compromises originating from the supply chain. Businesses may detail a certain level of certification that they consider adequate, such as ISO 27001 or a System & Organization Controls (SOC) report. By achieving one or more of these standards, new markets may open up to a business. Good security becomes a growth enabler. But just like with regulations, if the security strategy starts with one of these standards, it can rapidly become unwieldy as a patchwork quilt of different entry requirements builds up for other markets. Risk-Led The final zone is where actions are defined by the risk the business is exposed to. Being led by risk in this way should be natural and intuitive. Most of us might secure our garden shed with a simple padlock but would have several more secure locks on the doors to our house. We would probably also have locks on the windows and may add CCTV cameras and a burglar alarm if we were sufficiently concerned about the threats in our area. We may even install a secure safe inside the house if we have some particularly valuable possessions. These decisions and the application of defences are all informed by our understanding of the risks to which different groups of assets are exposed. The security decisions you make at home are relatively trivial compared to the complexity most businesses face with digital risk. Over the decades, technology infrastructures have grown, often becoming a sprawling landscape where the boundaries between one system and another are hard to determine. In the face of this complexity, many organisations talk about being risk-led but, in reality, operate in one of the other zones. There is no reason why an organisation can’t progressively transform from an Ad Hoc, Regulatory-Led or Opportunity-Led posture into a Risk-Led one. This transformation may need to include a strategy to enhance segmentation and reduce the sprawling landscape described above. Risk-Led also doesn’t mean applying decentralised, bespoke controls on a system-by-system basis. The risk may be assessed against the asset or a category of assets, but most organisations usually have a framework of standard controls and policies to apply or choose from. The test to tell whether an organisation genuinely operates in the Risk-Led zone is whether they have a well-defined Risk Appetite. This policy is more than just the one-liner stating that they have a very low appetite for risk. It should typically be broken down into different categories of risk or asset types; for instance, it might detail the different appetites for personal data risk compared to corporate intellectual property marked as 'In Strict Confidence'. Each category should clarify the tolerance, the circumstances under which risk will be accepted, and who is authorised to sign off. I’ve seen some exceptionally well-drafted risk appetite policies that provide clear direction. Once in place, any risk review can easily understand the boundaries within which they can operate and determine whether the controls for a particular context are adequate. I’ve also seen many that are so loose as to be unactionable or, on as many occasions, have not been able to find a risk appetite defined at all. In these situations, there is no clear way of determining 'How much security is enough'. Organisations operating in this zone will frequently still have to meet regulatory requirements and individual customer or market expectations. However, this regulatory or commercial risk assessment can take the existing strategy as the starting point and review the relevant controls for compliance. That may prompt an adjustment to security in certain places. But when challenged, you can defend your strategy because you can trace decisions back to the negative outcomes you are attempting to prevent — and this intent is in everyone’s common interest. Conclusions Which zone does your business occupy? It may exist in more than one — for instance, mainly aiming for a specific security maturity in the Ad Hoc zone but reinforced for a particular customer. But which is the dominant zone that drives plans and behaviour? And why is that? It may be the right place for today, but is it the best approach for the future? Apart from the 'Bucket of Sand' approach, each has pros and cons. I’ve sought to stay balanced in how I’ve described them. However, the most sustainable approach is one driven by business risk, with controls that mitigate those risks to a defined appetite. Regulatory compliance will probably constitute some of those risks, and when controls are reviewed against the regulatory requirements, there may be a need to reinforce them. Also, some customers may have specific standards to meet in a particular context. However, the starting point will be the security you believe the business needs and can justify before reviewing it through a regulatory or market lens. If you want to discuss how you can improve your security, reduce your digital risk, and face the future with confidence, get in touch with Tom Burton, Senior Partner - Cyber Security, using the below form.
AI co-pilot

AI as Your Project Management Co-Pilot: Beyond Basic Automation

by Jason Jennings 28 July 2025
Jason Jennings | Elevate your project management with AI. This guide for senior leaders explains how AI tools can enhance project performance through predictive foresight, cognitive collaboration, and portfolio intelligence. Unlock the potential of AI in your organisation and avoid the common pitfalls.
St Pauls Cathedral

English Devolution Bill: What It Means for Local Authorities and Communities

by Craig Cheney 24 July 2025
Craig Cheney | The UK Government has taken a major step forward in reshaping local governance in England with the publication of the English Devolution and Community Empowerment Bill. This is more than a policy shift — it’s a structural rethink that sets out to make devolution the norm, not the exception.

Partner Spotlight: Faye Holland

by Faye Holland 11 July 2025
Today, we are proud to be spotlighting Faye Holland, who became Managing Partner at Cambridge Management Consulting for Client PR & Marketing as well as for our presence in the city of Cambridge and the East of England at the start of this year, following our acquisition of her award-winning PR firm, cofinitive. Faye is a prominent entrepreneur and a dynamic force within the city of Cambridge’s renowned technology sector. Known for her ability to influence, inspire, and connect on multiple fronts, Faye plays a vital role in bolstering Cambridge’s global reputation as the UK’s hub for technology, innovation, and science. With over three decades of experience spanning diverse business ventures, including the UK’s first ISP, working in emerging business practices within IBM, leading European and Asia-Pacific operations for a global tech media company, and founding her own business, Faye brings unparalleled expertise to every endeavour. Faye’s value in the industry is further underscored by her extensive network of influential contacts. As the founder of cofinitive, an award-winning PR and communications agency focused on supporting cutting-edge start-ups and scale-ups in tech and innovation, Faye has earned a reputation as one of the UK’s foremost marketing strategists. Over the course of a decade, she built cofinitive into a recognised leader in the communications industry. The firm has since been featured in PR Weekly’s 150 Top Agencies outside London, and has been named year-on-year as the No. 1 PR & Communications agency in East Anglia. cofinitive is also acknowledged as one of the 130 most influential businesses in Cambridge, celebrated for its distinctive, edge, yet polished approach to storytelling for groundbreaking companies, and for its support of the broader ecosystem. Additionally, Faye is widely recognised across the East of England for her leadership in initiatives such as the #21toWatch Technology Innovation Awards, which celebrates innovation and entrepreneurship, and as the co-host of the Cambridge Tech Podcast. Individually, Faye has earned numerous accolades. She is listed among the 25 most influential people in Cambridge, and serves as Chair of the Cambridgeshire Chambers of Commerce. Her advocacy for women in technology has seen her regularly featured in Computer Weekly’s Women in Tech lists, and recognised as one of the most influential women in UK tech during London Tech Week 2024 via the #InspiringFifty listing. Faye is also a dedicated mentor for aspiring technology entrepreneurs, having contributed to leading entrepreneurial programs in Cambridge and internationally, further solidifying her role as a driving force for innovation and growth in the tech ecosystem. If you would like to discuss future opportunities with Faye, you can reach out to her here .
Cambridge MC Falklands team standing with Polly Marsh, CEO of the Ulysses Trust, holding a cheque

The Ulysses Trust Receives £10,000 Donation from Cambridge Management Consulting

by Lucas Lefley 10 July 2025
From left to right: Tim Passingham, Tom Burton, Erling Aronsveen, Polly Marsh, and Clive Quantrill.
More posts