This article was adapted from a conversation on the All Things Cyber podcast, hosted by Robin de Vries and Stephane Konarkowski of ThingsRecon.

‍

I have a battle on my hands after 17 years in cybersecurity.

Most organizations — enterprises, government ministries, critical national infrastructure — believe that buying the right tools solves the problem. The tool is valuable, but it’s not the starting point. And when you start with tools before you have earned the right to use them, you end up with visibility into a surface you haven't mapped, alerts from systems you haven't hardened, and detection capabilities running on a baseline that is fundamentally incomplete.

The sequence matters. Below is the sequence I use with every organization I work with, from a ministry that just appointed its first-ever cyber minister to critical national infrastructure that has been defending against nation-state attacks for years.

Step 1: Visibility — You Cannot Fix What You Cannot See

This sounds obvious and repetitive, but working in the field shows it’s not practiced nearly as often as it is understood.

Before you assess risk, before you buy a monitoring platform, before you run a penetration test, you need to know what you actually have. Not what procurement says you have. Not what the network diagram from 2019 shows. What is actually out there, what it is connected to, and what it is doing.

In government and CNI environments, this is harder than it sounds. Different ministries run different systems. Some are governed by central IT procurement. Some are excluded by law because they need to operate independently: the police, the prosecution service, the legal institutions.  

The political landscape shapes the technical landscape, and until you understand both, your picture of the surface is incomplete.

When I approach a new country, I map the political and institutional structure before I open a single port scanner. Because you cannot understand the digital connections without understanding who owns what.

Step 2: Remediation and Hardening — Fixing What You Can Now See

Once you can see your state, you fix it. This is where the people and the processes matter as much as any tool you deploy.

I am still, in some of the organizations I work with across the Balkans, trying to get password policies changed so that credentials expire monthly. That is where some of these institutions are. And that is fine, everyone starts somewhere. But it means the next conversation is not about advanced threat intelligence platforms. It is about whether someone is accountable for acting on what the existing tools are already showing.

A vulnerability scanner that produces a report nobody acts on has not improved your security posture. The governance around remediation (who is responsible, what the timeline is, how it is tracked and evidenced) is the actual work. The tool enables it. The people and processes deliver it.

The Transition State: The Window Nobody Is Watching

There is a specific moment when most organizations are at their most exposed. It is not during steady operations. It is during change.

Every digital transformation creates what I call a transition state: the period between state A and state B, where systems are being configured, partially live, partially connected, partially secured. In that window, things get missed. An engineer configures a server, decides it is not technically live yet, and goes home for the evening. The server is exposed on the internet. It is not live in their mind, but it’s visible to anyone scanning.

I was at a law firm a few years ago. They were migrating to OWA, somebody forgot to put authentication on it and went home. It cost them 6.5 million pounds.

Traditional assessments and pen tests don't get those transitionary periods. Everyone wants to pen test before a transition and after. It shows a nice story. But it doesn't tell you when the risk went up.

Pen tests measure state A and state B. They do not measure the risk trajectory between them. That trajectory normally goes up before it comes down. Continuous monitoring exists precisely for this window, and it is the window that matters most.

Step 3: Detection and Response — Earned, Not Bought

Detection and response is where most organizations want to start. It is the most visible, the most technology-heavy, the most demonstrably sophisticated part of a security program. It is also the part that depends entirely on the quality of the first two steps.

If your baseline is incomplete, if you have not mapped your surface and hardened what you found, then your detection capability is operating against a picture that is wrong. You will miss things that matter because you did not know they were there. You will chase things that don't matter because your baseline is noisy.

Automating detection and response, and increasingly using AI to do it, is where the industry is heading. That is the right direction. But automation running on a bad foundation produces bad outcomes faster.

The Framework in Practice

Why People and Process Are Not Soft Considerations

The tools we have available now are genuinely remarkable. The gap is in the governance around that technology.  

Training people on tools is just as important as the tools themselves. The processes embedded behind a tool, like how alerts are triaged, how vulnerabilities are assigned, how remediation is tracked, or how exceptions are governed, determine whether that tool produces security intelligence or just produces data.

We have a long way to go in ensuring that governance keeps pace with the technology available. And it starts with the sequence: visibility, remediation, detection, in that order. Not before you have earned it.

‍

‍

David Smith is Regional Lead Consultant for Eastern Europe and the Balkans at BAE Systems Digital Intelligence. He has spent 17 years working in government and critical national infrastructure security. This post was adapted from Episode 5 of the All Things Cyber podcast. Watch the full episode:

‍