". . control isn't in the tools . ."
The illusion of progress
Across the organisations I work with, there’s a familiar pattern. Significant investment is made into cyber security (new platforms are introduced, vendors engaged, roadmaps defined), and on paper, it all looks like progress.
Firewalls are upgraded. Identity platforms are replaced. Detection capabilities are enhanced. The language is modern, the tooling is current, and the intent is right.
And yet, beneath the surface, very little actually changes.
Incidents continue to occur. Delivery teams still operate in silos. Security remains misunderstood at leadership level. The organisation feels no more resilient than it did before the investment was made.
This is the point where many begin to question whether the tools themselves are the problem, whereas in reality, they’re not. The issue sits elsewhere.
The industry’s fixation on tools
Cyber transformation is too often approached as a technology exercise. It’s framed through the lens of capability uplift, vendor selection, and platform implementation.
This is understandable. Technology is tangible. It can be scoped, costed, and delivered against a timeline. It gives the appearance of control.
But it also creates a dangerous over simplification.
Because the truth is that deploying new tools doesn’t change how an organisation behaves. Nor does it redefine accountability or improve communication between teams. And it certainly doesn’t build trust.
What it does is add another layer to an already complex environment - one that still relies on the same people, processes, and cultural dynamics that existed before.
This is where businesses can fall short. They lead with solutions before fully understanding the operating reality they are stepping into.
Where transformation really breaks down
In practice, the failure points in cyber transformation are rarely technical. They are structural and behavioural.
The first is ownership. Security is still widely perceived as the responsibility of a single function (often the CISO and their team).This creates an inherent disconnect. Engineering teams focus on delivery, assuming security will provide oversight. Security teams attempt to enforce controls, often without full visibility into delivery pressures. The result is fragmented accountability, where risk is passed between teams rather than owned collectively.
The second is timing. Security is frequently introduced too late in the lifecycle. Projects are designed and built with speed as the primary driver, and controls are layered on afterwards. This not only introduces inefficiency, but also positions security as a blocker rather than an enabler. Over time, this erodes trust and encourages workarounds, further weakening the organisation’s security posture.
The third is communication. Security discussions are often rooted in technical language (threat vectors, vulnerabilities, control frameworks) while the business operates in terms of risk, impact, and outcomes. When these two perspectives fail to align, decision-making becomes disconnected. Leadership struggles to prioritise effectively, and security initiatives lose momentum.
None of these issues can be solved by tooling alone.
What effective transformation looks like
Successful cyber environments aren’t defined by the number of tools they deploy, but by how well they are aligned.
Security is embedded early, not introduced at the end. It forms part of the design process, working alongside engineering rather than against it.
Ownership is clear and distributed. Risk is not confined toa single team, but understood and managed across the organisation.
Communication is grounded in context. Security teams are able to articulate risk in a way that resonates with leadership, enabling informed decision-making and prioritisation.
In these environments, tools still play an important role - but they’re there to support a well-functioning system, not compensate for its weaknesses.
Trust as the missing layer
What sits at the centre of all of this is trust.
Trust between security and engineering, where both sides understand each other’s constraints and objectives.
Trust between leadership and delivery teams, where risk is communicated clearly and acted upon decisively.
Trust in the process itself, where controls are seen as part of building correctly, not something to be by passed.
Without trust, even the most advanced tooling struggles to deliver value. With it, organisations are able to move faster, with greater confidence and control.
It is this layer (often overlooked, rarely prioritised) that ultimately determines whether transformation succeeds or fails.
Rethinking the business approach
This requires a shift in mindset.
Cyber transformation can’t begin with a toolset. It must begin with understanding - how the organisation operates, where accountability sits, how teams interact, and how risk is perceived at different levels.
Only once that foundation is clear does it make sense to introduce technology. At that point, tools become enablers of a defined strategy, rather than substitutes for one.
This is also where the real work begins. Not in implementation, but in embedding change - ensuring that new ways of working are adopted, sustained, and continuously improved.
It is more complex, less immediate, and often less visible than deploying a new platform. But it is where transformation actually happens.
Cyber security will always require investment in technology. That’s not in question.
What is often overlooked is that technology alone can’t transform an organisation.
Transformation is driven by people, shaped by process, and sustained through trust.
Until that becomes the starting point, organisations will continue to invest heavily, deliver confidently - and ultimately see limited return.
And from where I sit, working closely with both Clients and Candidates navigating these challenges, that is a pattern we can (and should) start to change.
