The Big Question: Maturity vs hype. Are companies buying the right cybersecurity for where they really are?

The need for cybersecurity is never far from the media headlines and the boardroom agenda.

Late last month the UK, Australia and the United States announced they had hit back at illicit Russian networks enabling cyber-attacks round the world.

Media Land, a Russian cyber crime group, has been described as one of the most significant operators of so-called “bulletproof” hosting services, which provides online infrastructure that enables cyber criminals to engage in illegal activity, including ransomware and phishing attacks. 

Cyber criminals hiding behind Media Land’s services have been responsible for ransomware attacks against the UK which pose what has been described as “a pernicious and indiscriminate threat” with economic and societal cost, as well as malware and phishing campaigns.

Cyber-attacks are estimated to have cost British businesses £14.7 billion in 2024, accounting for 0.5% of GDP and growing every year. 

Insurers have been working with clients to bolster cybersecurity systems in an effort to prevent attacks. It has created a new breed of cybersecurity companies which are providing ever sophisticated and robust defences to cyber criminals who continue to create new ways to access company systems.

However, do we run the danger that the race to cybersecurity is leaving some companies struggling to understand and implement the systems at their disposal and with it create new risks?

Lee Williams, Head of AdvantageGo

Nick Walker, Regional Director, EMEA at NetSPI says the market needs to understand the security it needs and whether it can get best use out of the systems installed.

“In cybersecurity, ambition often outruns ability,” he adds. “The market is overflowing with advanced offerings like red teaming, adversarial simulation, and full-spectrum testing, that sound like badges of sophistication. They can be powerful, but only when an organisation is ready to use what they reveal. Too many businesses chase the advanced before they’ve mastered the basics, when what they really need is preparedness.

“That’s not just wasteful; it’s risky. Running a red team exercise before you’ve even set up endpoint detection is like asking an architect to test a wall before the concrete’s dry. You’ll get a handsome report, but the real cracks will still be there. Worse, executives walk away thinking the job’s done when all they’ve really done is tick a box.”

Walker continues: “Across the UK, the gap between cyber ambition and actual readiness is widening. The government’s Cyber Security Breaches Survey 2025 found that nearly half of businesses were hit by an attack last year. Yet only 27% have board-level responsibility for cybersecurity, and fewer than one in five trained staff within the past twelve months. Spending is up, awareness is up, but capability isn’t keeping pace.

“In highly regulated sectors such as finance and utilities, that maturity is built into daily risk management. Elsewhere, in manufacturing, logistics, retail, charities, it’s much less consistent. Many are told to ‘think like a bank’ without the people, the processes or the visibility to act like one. They overreach, paying for services they can’t yet turn into real protection.

“Imagine a mid-sized company that commissions a red team before it’s even carried out a proper penetration test. The exercise might show how easily an attacker could slip through, but it won’t reveal the full range of weaknesses that made that breach possible. Without a clear map of its vulnerabilities, or a routine for patching them, the business learns little it can act on. A few months later it pays for another simulation instead of fixing the underlying flaws. That’s not resilience – that’s fatigue disguised as progress.”

He adds red teaming and adversarial testing can be hugely valuable in the right conditions. They expose weaknesses that audits might miss and teach teams to think like attackers. Without basic visibility, they’re little more than theatre. A business without Endpoint Detection and Response, regular patching or an incident-response plan isn’t defending itself, it’s watching someone else rehearse the attack.

“This points to a deeper problem,” Walker continues. “Cybersecurity has become performative. Too many boards and vendors treat it as a showcase of capability rather than a process of learning. Providers can push what sounds impressive, while buyers want what looks advanced. Both end up skipping the steps that matter most. Selling high-end simulations to a company missing the basics isn’t innovation; it’s negligence dressed up as expertise.”

On paper, the UK’s cyber sector is thriving. More than 2,100 firms now operate nationwide, employing around 67,000 people and generating over £13 billion in annual revenue. But the same data shows something less tidy. Almost half of businesses report gaps in fundamental skills such as firewall configuration and data handling, and nearly a third struggle with advanced work like forensics or penetration testing.

Investment tells a similar story. The North West now leads the country in cyber venture funding, taking nearly half of all 2024 capital. It’s a sign of confidence, but local skills and training haven’t yet caught up. Without the people to deploy and manage these systems, money moves faster than maturity can.

Walker says: “Many organisations are stuck between two worlds, one of aspiration, the other of readiness. And when those collide, what’s left is neither secure nor strategic.

“The word ‘basic’ does cybersecurity no favours. It sounds like a starting point when it should mean strength. Asset visibility, access control, patching discipline, data backups, user awareness, aren’t warm-up acts before the real show – they are the show. They create the conditions that make advanced tools actually work.

“The industry needs to treat these fundamentals as critical infrastructure, not low-value services. It’s easier to sell complexity than consistency, but resilience comes from the latter. A company that patches on time, trains its people, and tests its backups will usually outperform one running the latest detection suite without the muscle to use it properly.

“Providers also have a duty to guide, not indulge. The best partners don’t just sell tools, they design journeys building capability in steady, logical steps rather than hurling clients straight into the deep end.”

However the challenge isn’t only technical, it’s cultural. The Cyber Security Labour Market Analysis 2025 found that while more than half of UK cyber professionals now use AI in their day-to-day work, fewer than half have any formal training in it.

“The tech is moving faster than people can adapt, and confidence is suffering,” Walker warns. “Mature security cultures anticipate that tension. They invest in understanding before automation, making sure every new layer of defence comes with the knowledge to use it well.”

He adds the proportion of businesses with senior oversight of cybersecurity has dropped since 2021, a worrying sign as threats grow more complex. Governance is what turns technical work into organisational protection. Without it, security becomes an IT chore rather than a business priority, reactive, fragmented and, sooner or later, underfunded until a crisis forces attention.

“Real resilience doesn’t come from buying the newest technology, it comes from using what you have wisely,” Walker continues. “In cybersecurity, great power still calls for great responsibility, and getting the order right matters more than getting there first.

“For many organisations, that means saying no to the next shiny tool and yes to doubling down on the essentials: training staff, practising responses, closing the loop between security teams and leadership. Those steps rarely draw attention, but they’re the reason systems stay online when everyone else is scrambling.”

He concludes: “Providers, regulators and boards all share a stake in reinforcing that mindset. Providers should take pride in delivering the steady, practical services that actually make clients safer. Regulators should reward outcomes, not optics. Boards should ask for clarity, not spectacle.

“Cybersecurity has always been a race between capability and complacency. Right now, too many firms are sprinting on hype while their foundations are still drying. The answer isn’t to slow innovation, it’s to pace it. Buy the security you’re ready to use, not the one you hope to boast about. Hype makes noise, maturity keeps the lights on.”