It's been nearly 18 months since I left the Royal Air Force and entered the private sector with Nova Blue Technologies. And in that time, one thing has become increasingly clear to me: the cyber security market is broken.

Not in a subtle, nuanced, "well it depends" kind of way. Broken in a way that is actively making organisations less secure while spending more money — and I think it's worth saying that out loud.

The Noise Machine

Open LinkedIn and you'll be bombarded. AI-powered detection platforms that promise to cut through the noise and identify attackers faster than ever before. Compliance tools that streamline your journey to certification without anyone stopping to ask what that certification is actually supposed to achieve. Threat intelligence dashboards serving up the latest TTPs of groups with increasingly elaborate names, tracking threat actors with the fervour of a Premier League fantasy football enthusiast.

And underneath all of it, a spiralling hype cycle around frontier AI that has turned what should be a practical discipline - keeping organisations and their people safe - into a technology arms race that most businesses have no hope of winning, or frankly, any need to be fighting.

I get it. Security is hard to sell. Fear moves budgets. Shiny tools look great in procurement decks. But this dynamic has created a market that is structurally biased towards the complex and the expensive, when the evidence consistently points the other way.

What's Actually Happening on the Ground

Here's the reality we encounter when we first engage with a new client — whether that's a brand new defence tech startup, a 15-person professional services firm or a 300-person technology business.

At best: patchy multi-factor authentication (MFA), leaning on legacy methods like SMS codes that were deprecated as a best practice years ago. No conditional access policies. Guest access left open across Microsoft 365 tenants. File stores with permissions so broad that most of the organisation can see things they have no business seeing.

At worst: no MFA at all. Default configurations untouched since the Microsoft 365 licences were activated. Security settings that shipped out of the box and were never revisited.

These are not obscure edge cases. These are the norm. And the uncomfortable truth is that no AI-powered detection platform, no threat intelligence feed, no compliance dashboard is going to fix them. Because they're not detection problems, they're configuration problems. And you solve them by doing the work.

Think Like a Risk Manager, Not a Tech Buyer

There's a model we use a lot in risk management called the bow-tie diagram. If you've never come across it, the idea is simple: in the centre is an event - a breach, a ransomware infection, a data leak. To the left are the threats and threat vectors converging on that event. To the right are the consequences radiating out from it.

The left side is where you put controls - the things you do to prevent the event from happening in the first place. The right side is where you put mitigations -the things you do to limit the damage if it happens anyway.

Most of the security industry wants to sell you the right side of the diagram. Detection. Response. Incident management. Mitigations after the fact.

The left side - controls - is less exciting. It doesn't require a 12-month contract for a platform with a 90-page admin console. It requires someone to actually sit down, configure your environment properly, enforce MFA across the board, set up conditional access, lock down guest permissions, and keep it maintained. It's not glamorous work. But it is effective.

Get the fundamentals right and the vast majority of attacks - we're talking well north of 90% - simply don't succeed. Not because you detected them in time. Because there was nothing to detect. The attack didn't land.

What "Getting the Basics Right" Actually Means

For most organisations running Microsoft 365 - which is the majority of our clients - the fundamentals look something like this:

• MFA enforced for all users, ideally phishing resistant such as passkeys. Non-negotiable, no exceptions.

• Conditional access policies that control which devices and locations can access your environment.

• Guest access reviewed and restricted so that external sharing is deliberate, not accidental.

• Admin accounts protected with dedicated, cloud-only identities and privileged access controls.

• File store permissions audited so that sensitive data isn't sitting in folders with company-wide read access.

• Email security properly configured - SPF, DKIM, DMARC - so your domain can't be trivially spoofed.

• Legacy authentication blocked, so attackers can't bypass MFA using older protocols.

None of this is exotic. None of it requires a six-figure investment. What it does require is expertise, time, and the willingness to actually implement and maintain the changes rather than hand the client a report and walk away.

This is exactly what our MIDAS managed security service is built to do. We get hands on keyboards, configure your Microsoft 365 environment to a defensible standard, and keep it that way, continuously. Not just a one-time assessment. Ongoing, managed security that treats your environment as a living thing that needs attention.

Yes, You Still Need the Right Side of the Diagram

To be clear: I'm not arguing that detection and response are pointless. They're not. If something does get through - and occasionally things do - you want to know about it quickly and have a plan for what to do next. That's why MIDAS also includes 24/7 detection and response - actual humans monitoring around the clock, so that when something unusual happens, someone is already on it. And for those more complex environments we have ATLAS which includes advanced analytics and detection engineering.

Relevant threat intelligence has its place too - understanding the techniques being used against organisations like yours helps you prioritise where to put your controls. And if you're working towards a compliance certification like Cyber Essentials, ISO 27001, or defence supply chain requirements under Defstan 05-138, there are legitimate business reasons to pursue those alongside good security practice.

But here's the key point: all of that is far more valuable - and far less expensive - when your foundations are solid. Detection works better when there's less noise. Compliance is easier when the controls are already in place. Threat intelligence is actionable when you have a mature enough environment to act on it.

Build from a position of strength. Don't try to paper over weak foundations with expensive tooling.

So What Should You Actually Do?

Start with an honest assessment of where you are. Not a vendor-led pitch dressed up as a discovery call, but a genuine look at your current environment against a recognised standard.

If you're on Microsoft 365, our free M365 Security Scan is a good place to start. We'll take a look at your environment, tell you exactly what's configured well and what isn't, and give you a clear picture of where you stand — no obligation, no upsell pressure. Book your free scan here.

If you already know your foundations need work and you want someone to come in and configure, manage, and maintain your security on an ongoing basis, then take a look at MIDAS and get in touch. That's what we're here for.

The cyber security market will continue to generate noise. New platforms, new threat actor names, new AI-powered promises. Some of it will be genuinely useful. Most of it will be a distraction.

Your job - and ours - is to cut through it. Roll up your sleeves, get the basics right, and build from there.

Or, you know, pay us to do it.