Managing Your MoneyFuture of EdtechCircular FuturesTransportEnergy Transition
About usShipping & Global TradePower of DataOur Future WorkforceFuture of Defence
Talent EconomyOpportunities in STEMIndustrial strategyBusiness TravelResponsible Business
Retail & E-CommerceArtificial IntelligenceRenewable FuturesFuture of TaxFintech
Cybersecurity & Cloud ComputingPropertySmart CitiesProject managementEducation
AerospaceFuture of TaxCareers in Tech & EngineeringFuture of workSupporting SMEs
SportBusiness ResilienceNational Inclusion WeekEmployee WellbeingSTEM
FinanceEntrepreneurs & SMEsGaming & EsportsClient survey
Home » Cybersecurity » Why organisations can — and must — change their approach to cybersecurity
Sponsored

Alan Katt

Co-founder and CEO, SeCore

    Basel Katt

    Co-founder, SeCore, Professor at NTNU Gjøvik, Head of Department of Information Security and Communication Technology

      In a changing cyber threat landscape, organisations must adopt a new approach to cybersecurity by continuously measuring and quantitatively assessing their cyber risk.

      Some organisations only realise they’re vulnerable to a cyberattack when it happens. By that time, it’s too late, and the financial, reputational and legal damage they suffer can be utterly devastating.

      This isn’t an issue that’s going away either. Worryingly, cyberattacks have been increasing in frequency, with a string of high-profile breaches across the UK and Europe, including incidents affecting the automotive sector, major UK retailers and critical transport infrastructure. No wonder cybersecurity is now viewed as a critical business risk.

      The trouble is, it’s tempting for CEOs and business owners to adopt a traditional approach to cybersecurity by treating it as a checklist or a one-off technical exercise. They assume that if their organisation adheres to essential security compliance requirements, it will be impervious to attack. But sadly, it won’t be.

      Why a traditional cybersecurity approach is insufficient

      “Obviously, compliance is important,” agrees Basel Katt, co-Founder of cybersecurity company SeCore. “It gives organisations a baseline of compliance and ensures they have certain cybersecurity controls in place. However, compliance doesn’t equal protection. Breaches can still occur because the threat landscape is changing so dramatically — and so quickly.”

      Katt explains that a variety of factors — including cloud adoption, third parties, interconnected systems and AI advances — have increased the threat level exponentially by providing different attack surfaces for cybercriminals to exploit. This means that old cybersecurity methodologies are no longer sufficient.

      Traditionally, organisations have assessed their cyber risk in two ways. The first is to measure compliance against a compliance framework checklist. The second is to have a risk assessment specialist carry out point-in-time penetrative testing to discover any vulnerabilities in their systems.

      “Unfortunately, the problem with the first way is that it doesn’t give an organisation any measurable insights into its system,” explains Alan Katt, co-Founder, SeCore. “The problem with the second way is that penetrative testing is very subjective. In other words, different risk assessment specialists from different companies could discover completely different vulnerabilities.”

      The other issue with checklist compliance and point-in-time penetrative testing is that they only offer a security snapshot of (as the name suggests) a particular point in time. “These methods don’t tell organisations what their vulnerabilities will be two weeks’ later when, say, they install third-party software onto their system,” says Basel Katt. “What will be their security posture then?”

      Compliance doesn’t equal protection.

      Giving clear and measurable insights into risk exposure

      Instead, what’s needed in this new, ever-changing threat environment is a continuous quantitative, evidence-based approach, which demonstrates in real-time how weaknesses can interact, cascade and amplify risk across systems, cloud environments and third-party dependencies. This gives organisations clear, measurable insights into their risk exposure, highlighting individual weaknesses that could combine into broader systemic risk.

      For instance, the SeCore platform performs regular assessments against multiple standards, aggregating assurance activities and testing outputs, which are then translated into clear risk scores. It also highlights risk threat trends and changes over time, suggesting solutions and delivering evidence to enable better decision-making.

      “Giving companies a quantitative score shows them how much assurance — or trust — they can have in their system,” explains Alan Katt. “It also allows them to use their budgets more strategically. For example, installing an expensive firewall may only increase their score by 0.5 points, whereas making a simple change to their network architecture may increase their score by 1.5 points. Ultimately, a quantitative approach helps them assess their priorities and make cybersecurity investments most affordably and effectively.”

      Click here to learn more

      Author
      Tony Greenway
      Share Share
      Topics
      Cybersecurity 2026
      Next article