This blog was authored by: Ed Tucker, Practice Director, Cyber Security | 11 March 2025

To frame this blog, I had the absolute privilege of being part of a panel at the TEISS conference 2025 in London last week, where we discussed the need and rationale behind rethinking your cyber security investments.

As a panel we had just 30 minutes but still managed to cover a wide range of important considerations. I thought it would be valuable to expand on my key points and share them here. I believe it’s the right time for organisations to rethink their approach to cyber security investments—and, more importantly, to invest more in both their overall strategy and specific areas. In the next few paragraphs, I’ll explain why.

People, Process and Technology

The first aspect I talked about was that when it comes to tech investments, let alone cyber security investments, we tend to get the order wrong. Everyone knows the acronym PPT (no, I don’t mean PowerPoint) People, Process and Technology. It is in that order for a reason. People can be autonomous. Process is dependent on people, and technology is dependent on both process and people.

Yet, time and time again —from the early days of my career through to today — I see far too many organisations and economic buyers focussing on technology and giving far less attention to people and process. The issue isn’t just about implementation—it’s about effectively operating and making the most of that technology.

It is people that operationalise any technological investment, and process that makes it repeatable and ideally efficient and effective. The trick with defining processes is that they need purpose, and you need to recognise when they are no longer needed. Everything has a lifecycle of usefulness, which may or may not align with the lifecycle of your purchase.  A lack of focus on people and process leads to drift, underutilisation, or just plain redundancy —even with brand new purchases.

Investment Principle 1. When you look at any investment, give at least equal —if not greater— consideration to the people and process requirements.

Over Purchase, Underuse

This lack of focus on people and process is a key reason why organisations frequently over-purchase and underuse technology. It is a tale as old as time! Buying 14 modules and only using 2 of them and even then, neither to their fullest potential

It’s no surprise that salespeople will try to sell you as much as possible. They aim to maximise value—both for you and for them—and that balance isn’t always 50/50. You will naturally look to take the most from any investment, in theory, to have the greatest (positive) effect on your use case, or problem statement. But the more complicated the technology, the greater the focus needs to be on the people and process side of things. If you want to fully maximise all the modules you have purchased and ultimately exploit them, then you need to invest in how to do that, especially in the day-to-day operation and insight, rather than just installation or implementation.

Alongside this, you should also put a process in place to regularly assess how much of your investment you are using and why. From a business value perspective, it’s unacceptable to buy something and not use it for five years.

And speaking of value, when evaluating different options within a technology, it is important to be clear about which features will deliver value. Consider what’s involved in achieving that value and whether it’s worth the effort. Often, it’s the prerequisites—things you didn’t realise you needed—that diminish perceived value after purchase.

Investment Principle 2. Evaluate your purchases carefully, consider and plan the necessary steps to derive value from them.

Outcome Based Investments

Value and return on investment (ROI) are not the same thing. While value is one way to assess an investment, ROI provides another perspective. What defines both is the outcome that you are trying to achieve. This is an area where I often see great weakness.

As an industry (and excuse the generalisation), we’re good at defining the “what”—but not the “why.”

Defining the desired outcome is an absolute must for any investment. What are you trying to achieve?  For example, implementing an email gateway is just an action, not an outcome. I could implement one poorly and still claim success—so long as the gateway is in place.

The outcome should align with business value or need. It should clearly describe what you are trying to achieve through this investment. Once you define that, then you can define what success looks like and develop some quantifiable metrics to track success.

Clearly defined success criteria allow you to measure and hold stakeholders—whether internal teams, partners, or suppliers—accountable.

This also builds credibility for future investments. If you can demonstrate clear value from a previous purchase, it strengthens trust when justifying the next, potentially more expensive, investment.

Investment Principle 3. Define a clear outcome and success criteria for every investment. Measure progress to ensure it delivers real value.

(Or even consider the point of diminishing returns—something for another blog! That is, it is important to know when to stop.)

My Outcome is Unaware of Your Outcome

Even if you’ve defined your outcomes well, it’s important to not to be too insular or narrow in your strategy. Because it’s highly likely that your investment—and its intended outcomes—will have a ripple effect on other business areas and investments.

Your approach to cyber security investments can have wide-ranging effects—positive, negative, or neutral—on other teams, technologies, and processes.

For example, consider two separate cyber security goals, with two different intended outcomes, but a co-dependency, that if not considered could have a detrimental impact.

Imagine you are replacing your web or email gateway. You define your outcomes and success criteria and you’re good to go. However, you also have another cyber security initiative focussed on cultural and behavioural change; the goal here is to promote security as business-friendly and enabling, rather than obstructive.

Now, what happens if your new security investment neglects the user experience? If end users repeatedly encounter generic, unhelpful error messages—such as blocked websites or stripped attachments—without context, their perception of security will be negative. That contradicts your cultural investment goal and undermines your broader security strategy.

This highlights the need for alignment and communication. Don’t assume teams are talking—they often aren’t.

Investment Principle 4.

Be aware of the broader impact of your investments. Ensure alignment with related initiatives and communicate effectively across teams.

Post COVID Refresh

Finally, I talked about why now is an ideal time to rethink your cyber security investments. Everyone in a decision-making role today has lived through the rapid transformations of the past few years. COVID-19 fundamentally changed how businesses operate. At the time, decisions had to be made quickly—often tactically, and rightly so. Now, five years on, we can revisit those choices. We can assess them strategically, rather than reactively.

Many COVID-era decisions introduced additional tools, technologies, and complexity—often leading to higher costs of ownership. But this doesn’t have to be permanent. Now that we’re at the natural refresh cycle of those investments, we should be asking: How can we transition from tactical decisions to a strategic vision?

Take networking as a prime example. Many organisations now have a fragmented mix of tools and vendors—firewalls, Cloud Access Security Brokers, Secure Web Gateways—each with different operating requirements, integrations, or lack thereof.

Now is the ideal time to review those and think about how you could do things differently. Focus on desired outcomes and consider how to revisit your networking with a different lens.

I am seeing a shift in focus from simply talking about ZTNA (Zero Trust Network Access), to actually implementing it.  Alongside a significant move towards platformisation. This trend is about more than just consolidation—it’s about driving innovation while managing the operational overhead of technology. By unifying outcomes under a single technology stack, organisations can lower total cost of ownership, improve integrations, streamline management, and make better use of their existing investments.

Bringing tools together increases your ability to maximise their value and ensures you’re getting the most from your purchases.

There is obviously a cost of change element to consider, as there would be in changing or renewing a singular component. But you do not have a big bang approach! Part of rethinking your investments is to help determine the pathway to your desired state, and renewal cycles to help you forecast and plan a pipeline of activities. There is no better time than now.

Investment Principle 5. Apply a strategic lens to your tactical investments.  You can often achieve more with less. Look for opportunities to consolidate where it makes sense.

Finally

That’s the key message I shared at TEISS 2025. None of this is rocket science, but it does require organisations to invest more thought into their investment process.

Forget, or neglect people and process at your peril! This often leads to purchasing more than you need —or more than you can effectively use.  Clearly defined outcomes are key to driving success, but it’s just as important to of consider how other investments align. And finally, take the opportunity of refresh cycles to do things better. Hopefully that was of some use. And I’d love to hear your thoughts.