Image: Leonardo AI
The Surgical Approach to Cybersecurity
In my previous article, I wrote about how dread in cybersecurity leads organisations to accumulate tools — adding complexity rather than protection. Today, I want to look at how to approach things differently.
How much is enough?
It’s an uncomfortable question, because there’s no universal answer. But it’s a question that carries real weight.
Cybersecurity doesn’t scale linearly — more tools don’t equal more security. Every additional component introduces another potential attack surface, another misconfiguration waiting to happen, another system that needs to be maintained and updated. Complexity is itself a threat vector.
Effective cybersecurity is a surgical instrument, not a machine gun. That means a small number of well-configured, actively managed solutions — not an all-encompassing arsenal that doesn’t actually work.
Four questions before buying anything new
1. What are our most critical assets? Before any conversation about products, answer this first. Business data? Customer information? Production systems? The answers determine what you actually need to protect.
2. What are the realistic threats we’re likely to face? Not theoretical worst-case scenarios — probable ones. A small business is rarely the primary target of a state-sponsored attack. But phishing, credential leaks, and unpatched vulnerabilities are universal. And attackers pick the lowest-hanging fruit in passing, even if your organisation wasn’t the original target.
3. Do we already have coverage for this? Run a thorough review of your existing technology before buying something new. More often than not, you’ll find a solution that’s already in place — just poorly configured. The instinct is to buy a replacement; the smarter move is to fix what you have.
4. Do we have the capacity to manage this? If the honest answer is “no” or “maybe”, don’t buy it. Poorly managed security software is more dangerous than no software at all.
Consolidation isn’t surrender
For many organisations, maturity in cybersecurity means not adding tools but removing them. That feels counterintuitive. It isn’t.
Fewer tools means fewer integration points where things go wrong, unified visibility — all your events in one place rather than scattered across ten consoles — a simpler update process, and fewer people who need deep expertise in each system.
This isn’t an argument for a single vendor at all costs, or against specialised solutions when they’re genuinely warranted. It’s an argument that every additional component needs to earn its place — and be manageable within your actual capacity.
Updates are not optional
One practical rule: if you can’t guarantee that your security solutions are being kept up to date, you’re better off removing them.
Outdated security software is often worse than nothing — it offers false reassurance while protecting less and less. And in many cases, it becomes an attack surface in its own right.
The bottom line
Buying your way out of anxiety doesn’t make you more secure. It makes you spend more, manage less, and lose focus on the threats that actually matter.
Cybersecurity is a discipline, not a product catalogue. It requires clarity about what you’re protecting, what you’re protecting it from, and who is responsible — before any conversation about specific solutions.
Less, but better. It’s a principle that holds.