Working the Problem in Cyber Security

Cyber security is so noisy. Tools, alerts, frameworks, compliance checklists, all competing for attention, all demanding urgency.

Every vulnerability management tool or DLP solution spits out millions of alerts. We’re drowning in data. The question, as Jerome Brown , Head of Cyber Security & Risk for Country Road Group, put it when we spoke recently, is this:

“So what? What should we be working on?”

That’s the heart of the matter. We don’t need more noise. We need clarity on the real risks that will compromise the business. Watch video highlights of our conversation and read the takeaways below. 

Watch the video here: https://www.youtube.com/watch?si=H2ufwUUAYkhn0INC&v=viM-3ytDE3A&feature=youtu.be

The wrong questions

For decades, the industry has been stuck on high/medium/low vulnerability ratings. It’s compliance-driven, not risk-driven.

Frameworks demand we patch “critical” issues within a set SLA. But rarely does a compliance framework ask us to map an actual attack path — the sequence of steps that would realistically lead to a breach.

Jerome explained it well: between the millions of vulnerabilities flagged by tools and the handful of findings in a pen test, the truth lies in the middle. Real business risk sits in that space, but too often we’re beholden to the categories our tools and audits impose.

When we ask the wrong questions, we set ourselves up for the wrong outcomes. We waste capacity chasing compliance, not reducing risk.

Attack paths, not alerts

A pen test often focuses on obvious targets: the “crown jewels” everyone expects to be attacked. But the reality is different. What gets you hacked is almost never what the scope covers.

Attackers don’t always go straight for the shiny application. They exploit the context: weak cloud configuration, insecure processes, or overlooked dependencies.

Jerome gave the example of service desk credential resets. Attackers aren’t hacking systems, they’re logging in. They exploit people and processes. And there’s no scanner for that.

That’s why we need to focus on attack paths: the combination of vulnerabilities, misconfigurations, and human factors that, together, open the door. Each step might look like a “medium” on paper, but chained together, they’re catastrophic.

Urgent vs important

This is where many CISOs get stuck. Noise doesn’t just come from tools. It also comes from media headlines, vendor pitches, and board pressures. Everyone claims their issue is the most urgent. But urgent is not the same as important.

“Cyber is intensely noisy… vendors, media, everyone is calling for your attention. But you need to focus on what’s going to move the needle long term,” Jerome told me.

I’ve seen CISOs enter roles with the promise of “doing security properly,” only to be derailed by the 100-day plan. Urgent, externally imposed demands replace the important work of fixing what really matters.

More tools, more alerts, more distractions. And still the core risks remain.

The real crown jewels

Another trap is confusing “crown jewels” with “what attackers are really after.” A CDO I spoke to once defined crown jewels as IP and client data. Reasonable. But when ransomware hit, it wasn’t the data that mattered, it was the ability to operate. The attackers wanted ransom, not the jewels.

As Jerome pointed out, business capability mapping is vital. The finance system may seem critical, but if payroll can be run manually in a pinch, it’s not the first priority. What matters is understanding business impact, not assuming every system is indispensable.

When we expand our thinking from protecting crown jewels to protecting the processes that keep the business running, we inherit resilience as a byproduct.

Working the problem

Working the problem, not just naming it, is the hard part. Compliance, tools, vendors, and even our own instincts pull us towards urgent distractions. However, clarity comes from asking: what are the attack paths that matter most?

“You need to be comfortable knowing there’s a body of work you’ll never finish. And that’s okay,” Jerome says. The task is to decide which parts of that work genuinely reduce risk, and which are noise.

That requires uncomfortable conversations with boards and executives. It requires CISOs to move out of the purely technical mindset and into the role of business risk advisor. It requires saying “no” often.

And it requires humility: accepting that priorities must change as facts change. What mattered a year ago may not matter today. Sticking rigidly to yesterday’s plan is just another form of noise.

Five key takeaways

Here are a few ideas that I wish security leaders considered more often:

1. Attack paths matter more than alerts. Don’t get lost in high/medium/low ratings — map how vulnerabilities connect to create real risk.
2. Urgent does not equal important. Vendor pitches, zero-day headlines, and board requests shouldn’t distract from long-term risk reduction.
3. Business impact defines the crown jewels. Protect the processes that keep the business alive, not just the obvious assets.
4. Resilience comes from expansion. Secure the crown jewels, then expand the net outward. Resilience is the byproduct.
5. Noise is inevitable, but clarity is possible. Accept that not everything can be fixed. Focus relentlessly on what moves the needle.