All insights

Security & GRC Insights

Cybersecurity Still Fails at the Basics

Kwesi Armah6 min read
Cybersecurity BasicsGRCAudit ReadinessControl EvidenceIncident Readiness

The headlines change. The underlying patterns often do not.

Read enough incident reports, audit findings, regulatory findings, and post-incident reviews, and a pattern emerges. The story rarely turns on an exotic attack. It turns on a missed patch. An account that should have been deactivated months ago. A service quietly outside multi-factor authentication enforcement. A backup nobody had restored. Logs collected, but never read.

The tools were almost always there. The scanner. The identity platform. The MFA solution. The backup product. The SIEM. None of that prevented the outcome.

The pattern is consistent enough that it deserves to be named. The problem is not missing tools. The problem is missing operating discipline.

The four states of a control

Any control your organization claims to have lives in one of four states.

  • Bought. A contract was signed. A tool exists somewhere.

  • Deployed. The tool is installed and producing output.

  • Operated. A named person owns it, runs it on a defined cadence, and closes what it surfaces.

  • Evidenced. That operation can be demonstrated to an auditor, customer, insurer, or board on request, without scrambling.

Bought is the easiest. Evidenced is the hardest. When an incident or audit finding lands, it almost always lands in the gap between these states. The screenshot existed. The evidence trail did not.

The same gap surfaces across audit findings, vendor due diligence questionnaires, regulator inquiries, and post-incident reviews. Different rooms. Same conclusion: a control was asserted that nobody could evidence operating.

The five basics that still decide outcomes

Five disciplines decide more about real security outcomes than any new acquisition.

  • Patch and configuration discipline. Critical and high vulnerabilities have defined timelines. Exceptions are documented and time-bound. A named owner reviews the patch report each week.

  • Identity and access reviews. Joiners, movers, and leavers are processed promptly. Privileged accounts are reviewed quarterly. Service accounts have named human owners.

  • MFA everywhere it matters. All external access. All privileged access. All sensitive data access. The exception list is short, time-bound, and reviewed.

  • Backups that have been restored. A backup never restored is a hope, not a control. Restore drills are scheduled and evidenced.

  • Logs that a human reviews. Someone watches the alerts, triages them, and closes the loop. Coverage gaps are known and prioritized.

None of these are new. That is the point.

Why this keeps happening, and it is not laziness

The structural forces are predictable.

  • Tools land faster than operating muscle. Procurement takes weeks. Building cadence, ownership, and evidence takes quarters.

  • Budgets reward acquisition. New platforms are easier to defend than headcount for operating what an organization already owns.

  • Some audit processes over-focus on control existence and under-test operating effectiveness, especially when scope, timing, or evidence standards are limited. A policy exists. A screenshot is produced. The deeper question of whether the control runs gets less attention than it should.

  • Executives ask for dashboards, not drills. A green dashboard is comforting. A failed tabletop is useful. Comfort wins more meetings than it should.

These pressures are not inevitable. Once leadership sees the pattern, the levers become visible.

What good looks like

The organizations that operate the basics well share a small set of habits.

Every control has a named human owner, paired with a backup and an escalation path. Cadence is defined and visible. Evidence is a byproduct of operation, not an emergency project. Exceptions are explicit and time-bound. And leadership runs a quarterly proof exercise: pick one control at random and ask the owner to produce evidence for the last quarter, on the spot. Repeat with a different control next quarter.

That one habit, done seriously, changes operating culture faster than any new tool.

The question that moves the needle

The most useful question a CEO, board, or audit committee can ask is not "what should we buy next?"

It is this:

"If a customer, regulator, or insurer asked us tomorrow for evidence that our five most important controls are operating, what would we fail to produce?"

That question moves the conversation from acquisition to operation. It surfaces the gaps that post-incident reviews eventually find anyway. It tends to be cheaper to act on than the next platform.

An exercise to try

Pick one of your five basics. Ask the owner, by name, to send evidence of last quarter's operation by Friday. Observe what comes back, and how long it takes. That is the program's real posture, not the one on the dashboard.

Closing

Tools are useful. Discipline is decisive. Many organizations that get hurt are not missing tools. They are missing consistent operation, ownership, and evidence. The tools may be there, but without ownership, cadence, and evidence, they can quietly become decoration. The work is not glamorous. It does not produce a vendor logo on a slide. It produces evidence, owners, and outcomes. That is what holds up when something goes wrong.

About this work. Armcap focuses on helping leaders strengthen the operating discipline behind their controls across assurance, risk management, compliance, and incident readiness. Evidence discipline is the common thread: what is owned, what is operating, what is tested, and what can be demonstrated when it matters.

Explore how Armcap approaches evidence discipline, control operations, and incident readiness.

See the platform$950 Diagnostic