We can’t buy ourselves out of this problem, Cyber security tools are not enough

In the last decade, there has been an explosion of cybersecurity tools, each with its own promise to help combat the threat of cyber attacks. From point solutions powered by artificial intelligence to multi-functional platforms that do it all under one roof. But if you look at any FTSE 100 organization that has suffered a major cyber attack, you will find that they had at least a dozen or so cybersecurity tools.

Don’t get me wrong, tools play an important role in securing and defending an organisation, but there is an over reliance on their effectiveness and exaggeration on their ability. So having the best of breed tools simply isn’t enough, a multidimensional approach to tackle the challenge is required.

We need to take look at the fabric of the organisation and have a deeper understanding of the security culture, velocity of change of both people and technology, risk appetite and risk ownership. These factors play an important role in building a strong security posture that stitches security in to the heart of the organisation and supports a swift response to a cyber attack minimising impact and data loss.

Here are some suggestions to improve your security posture that don't involve security tools or processes.

Follow your data

It is extremely difficult to harden, monitor and respond to every type of security alert. Your effort is probably best used to embark on a journey to identify and defend your most critical data. You will most likely realize early on that the actual Crown Jewels data that needs to be protected are relatively insignificant in size compared to the technology estate that wraps around it. The bigger challenge is understanding the most appropriate way to protect the data from upstream and downstream processing systems.

Move forward as one

Life is much is simpler when you have an organisation that can publish a set of prioritised projects for the next four quarters, and has constructed its delivery teams for success and not line management. This will reduce the clash of priories and disagreement over the value that each project brings to the organisation and what level of risk should be accepted. This allows the Infosec professional to allocate their finite time on projects that actually make it past first base.

Celebrate Failure

When mistakes happen whether it’s a missed alert, a phishing email opened, or a misstep in configuration make it something worth sharing not hiding. The goal isn’t to assign blame but to turn every slip-up into a lesson the whole team benefits from. By openly discussing failures and how they were handled, you create an environment where people feel confident reporting issues early. That mindset strengthens security culture and turns small mistakes into opportunities for collective improvement rather than silent risks.

Down tools

Make time for training and innovation and stick to it, you will never get the most out of your toolkit if you don’t know how to use it properly. It’s also a good idea to enforce some mandatory downtime to take a step back and look at what you have achieved. Exploring the ideas that didn’t work and research new ideas that could work given enough time. Most people don’t work their best under pressure nor is quality ever achieved when there is haste involved.

Value you your people more than gold

Treat your staff as one of the most important assets in the organization. You can start by diverting some investment from tools into your people. Get to know your staff better, find out what they enjoy working on, and help them be the best they can be. Likewise, ensure that all staff truly understand what the organization does and how and why it is done that way. This will help give wider business context to changes that information security professionals rarely get.

The Hidden Threat Intelligence Inside Your Organization

Every organization holds a significant but often overlooked source of threat intelligence: its own people. Employees encounter risks and weaknesses that no automated tool or external threat feed is set up to detect. They notice security settings that get bypassed to keep things running smoothly and they understand which parts of the process or system carry risks that may not show up in a dashboard or report.

In many cases, employees already know exactly what needs fixing, whether it’s outdated software, misconfigured access controls, or gaps in monitoring. But acting on it isn’t always straightforward. Business priorities, limited time, cost pressures, or simply not knowing who to tell can keep these weaknesses around. This is where the cybersecurity team can step in not just as enforcers of policy but as partners who help bridge that gap. By providing time, budget, and technical expertise, the cybersecurity team can turn internal knowledge into practical improvements. That kind of support turns overlooked observations into real, proactive security gains.

Tools Are Only Part of the Picture

I am not saying you don’t need security tools. You absolutely do. But tools aren’t enough on their own. Real cybersecurity maturity comes from combining technology with human insight. The smartest teams build processes that blend both: leveraging platforms to handle scale and speed while using employee-driven intelligence to fill in the gaps that no tool can see. That’s how you move from simply detecting threats to understanding them and ultimately, stopping them faster.