Security Journal UK hears exclusively from Mark Edgeworth, CEO of Hicomply about why good security still fails due to controls and business risk.
When it comes to cybersecurity, organisations are still given familiar advice – strengthen passwords, train staff, keep systems patched.
None of this is wrong, but it doesn’t address the fact that data protection is actually a governance issue.
Organisations are being caught out because they aren’t connecting their security controls to business risk in a way that boards can understand, act on and be held accountable for.
Phishing remains the dominant path of attack, responsible for 84% of UK business breaches in 2025, according to the government’s Cyber Security Breaches Survey, but the nature of those attacks has changed.
Generative AI has made them more convincing, more targeted and far harder to detect, whilst hybrid working has extended the corporate perimeter beyond recognition, scattering sensitive data across personal devices, home networks and third-party platforms that IT teams may never see.
In that context, data protection needs to be approached as a discipline that runs through the organisation and the following priorities reflect where organisations should be focusing their attention.
Many organisations still prioritise vulnerabilities based on Common Vulnerability Scoring System (CVSS) scores, addressing critical-rated issues first and deferring those considered less severe.
That approach made sense when environments were more contained, but it is far less effective today.
Risk-based vulnerability management requires a different lens, starting with understanding which assets matter most to your operations, where sensitive data actually lives and how an attacker might chain together multiple weaknesses to reach it.
This requires collaboration between security teams and business leaders and forcing them to consider what disruption would actually look like in practice.
Most organisations have an incident response plan, but fewer have one that has been meaningfully tested.
When a breach occurs, the first few hours determine everything.
Decisions taken under pressure can determine whether an incident is contained or escalates into a crisis.
Yet many organisations still find themselves asking fundamental questions in that moment: who has authority to act, how communication is handled and what dependencies exist.
An effective incident response capability is a muscle that has to be exercised.
Tabletop exercises expose the gaps that documentation alone will not reveal and they also force leadership teams to confront difficult questions around risk tolerance, escalation and accountability.
This helps to build the reflexes and relationships that allow organisations to respond clearly when something inevitably does happen.
Most security reporting still isn’t designed for the board.
They are presented with technical metrics, activity-based reporting and dashboards that assume a level of specialist understanding that does not exist at that level.
This often results in delayed decisions, investment that is harder to justify and, when incidents occur, a limited understanding of the organisation’s risk position.
Effective reporting starts with risk appetite.
From there, security metrics need to be translated into business outcomes.
That means linking technical activity to reductions in risk and framing performance in terms that reflect the questions boards are already asking.
Third-party compromise continues to play a central role in modern breaches, with attackers increasingly targeting suppliers, platforms and service providers as a route into larger organisations.
Despite this, third-party risk management often remains superficial – due diligence is concentrated at onboarding, contractual requirements are rarely enforced and supplier access is granted with limited ongoing oversight.
A more robust approach requires continuous evaluation.
Suppliers should be expected to evidence compliance with recognised frameworks such as ISO 27001 or SOC 2, access should be tightly controlled and regularly reviewed and high-risk relationships should be subject to the same scrutiny as internal systems.
The uncomfortable truth is that an organisation’s security is only as strong as their weakest supplier.
Organisations that haven’t mapped their supply chain dependencies are carrying risk they just can’t see.
Compliance frameworks such as ISO 27001, Cyber Essentials and SOC 2 are built on patterns observed across thousands of incidents, but the challenge is how they are applied.
Too often, compliance is treated as a parallel exercise, separate from the way the organisation actually operates.
Policies are created to satisfy audits, then disconnected from day-to-day decision-making.
That separation creates risk and it also reduces the value of compliance.
Embedding compliance into operations changes that dynamic – risk assessments begin to inform real decisions, control effectiveness is monitored continuously and governance evolves alongside the business rather than lagging behind it.
Organisations that approach compliance in this way tend to see a broader benefit.
They are easier to assess, easier to trust and better positioned in markets where assurance is increasingly expected.
Ultimately, protecting data in the current environment means making data protection a board-level concern, linking controls directly to business risk and building governance structures that hold up under pressure.
No organisation will prevent every incident, but the difference lies in whether a breach occurs despite well-understood and well-managed risk or whether it exposes a lack of structure that should have been addressed earlier.
The question is: threat has already evolved, but has your approach has evolved with it?
