Awareness of cyber threats has never been higher. Major breaches keep making headlines, and each one prompts a rush to spend. As a result, the market is packed with sophisticated cyber offerings – red teaming, adversarial simulation, and every flavour of “advanced” testing you can imagine. They sound urgent and impressive, so many organisations buy them long before they’re ready to make use of what those exercises uncover, says Nick Walker, Regional Director, EMEA at the cyber firm NetSPI.
The problem isn’t the tools themselves; it’s the order in which they are used. Without the fundamentals in place, those high-end services reveal little of real value. Firms end up paying for complexity when what they need first is clarity: visibility of their assets, simple controls, reliable patching, and day-to-day security habits that make any advance test worth running.
Bridging the gap between ambition and actual readiness
Across the UK, the gap between cyber ambition and actual readiness is widening. The government’s Cyber Security Breaches Survey 2025 found that nearly half of businesses were hit by an attack last year. Yet only 27% have board-level responsibility for cybersecurity, and fewer than one in five trained staff within the past twelve months. Spending is up, awareness is up, but capability isn’t keeping pace.
In highly regulated sectors such as finance and utilities, that maturity is built into daily risk management. Elsewhere, in manufacturing, logistics, retail, charities, it’s much less consistent. Many are told to “think like a bank” without the people, the processes or the visibility to act like one. They overreach, paying for services they can’t yet turn into real protection.
Imagine a mid-sized company that commissions a red team before it’s even carried out a proper penetration test. The exercise might show how easily an attacker could slip through, but it won’t reveal the full range of weaknesses that made that breach possible. Without a clear map of its vulnerabilities, or a routine for patching them, the business learns little it can act on. A few months later it pays for another simulation instead of fixing the underlying flaws. That’s not resilience – that’s fatigue disguised as progress.
When high-quality security becomes performative, not useful
Red teaming and adversarial testing can be hugely valuable in the right conditions. They expose weaknesses that audits might miss and teach teams to think like attackers. Without basic visibility, they’re little more than theatre. A business without Endpoint Detection and Response, regular patching or an incident-response plan isn’t defending itself, it’s watching someone else rehearse the attack.
This points to a deeper problem. Cybersecurity has become performative. Too many boards and vendors treat it as a showcase of capability rather than a process of learning. Providers can push what sounds impressive, while buyers want what looks advanced. Both end up skipping the steps that matter most. Selling high-end simulations to a company missing the basics isn’t innovation; it’s negligence dressed up as expertise.
The state of the UK market: A mixed story
On paper, the UK’s cyber sector is thriving. More than 2,100 firms now operate nationwide, employing around 67,000 people and generating over £13 billion in annual revenue. But the same data shows something less tidy. Almost half of businesses report gaps in fundamental skills such as firewall configuration and data handling, and nearly a third struggle with advanced work like forensics or penetration testing.
Investment tells a similar story. The Northwest now leads the country in cyber venture funding, taking nearly half of all 2024 capital. It’s a sign of confidence, but local skills and training haven’t yet caught up. Without the people to deploy and manage these systems, money moves faster than maturity can. Many organisations are stuck between two worlds, one of aspiration, the other of readiness. And when those collide, what’s left is neither secure nor strategic.
Redefining the ‘basics’
The word “basic” does cybersecurity no favours. It sounds like a starting point when it should mean strength. Asset visibility, access control, patching discipline, data backups, user awareness, aren’t warm-up acts before the real show – they are the show. They create the conditions that make advanced tools actually work.
The industry needs to treat these fundamentals as critical infrastructure, not low-value services. It’s easier to sell complexity than consistency, but resilience comes from the latter. A company that patches on time, trains its people, and tests its backups will usually outperform one running the latest detection suite without the muscle to use it properly.
Providers also have a duty to guide, not indulge. The best partners don’t just sell tools, they design journeys building capability in steady, logical steps rather than hurling clients straight into the deep end.
Keeping up with the tech and a culture of confidence
The challenge isn’t only technical, it’s cultural. The Cyber Security Labour Market Analysis 2025 found that while more than half of UK cyber professionals now use AI in their day-to-day work, fewer than half have any formal training in it. The tech is moving faster than people can adapt, and confidence is suffering. Mature security cultures anticipate that tension. They invest in understanding before automation, making sure every new layer of defence comes with the knowledge to use it well.
Leadership matters too. The proportion of businesses with senior oversight of cybersecurity has dropped since 2021, a worrying sign as threats grow more complex. Governance is what turns technical work into organisational protection. Without it, security becomes an IT chore rather than a business priority, reactive, fragmented and, sooner or later, underfunded until a crisis forces attention.
Purposeful, not performative
Strong cybersecurity depends on two things: having the right tools and knowing how to use them. Firms need both. Technology gives you the means to defend yourself, but without the discipline, skills, and planning to back it up, even the most advanced platform delivers only a fraction of its potential.
The industry often talks as if buying the latest solution is the same as being secure. It isn’t. Too many businesses rush towards high-end services while the basics are still patchy, hoping speed will make up for gaps in preparation. It never does. Real protection comes from maturity – from building a security culture that understands its responsibilities, invests in its people, and put fundamentals in order before chasing anything more ambitious.
Hype may draw attention, but preparedness keeps you safe. In the years ahead, the only organisations that stay resilient won’t be the ones with the flashiest tools, but the ones that use what they have with purpose, patience, and a clear sense of what matters most.
