UK organisations are spending more on cyber security than at any point in the last decade. Board-level attention is higher. Insurance premiums have forced hands. Regulators, whether the ICO, the FCA, or the NCSC through its guidance, have raised expectations of what “reasonable” security looks like. And yet, the headlines keep arriving. A retailer here, a local authority there, a housing association, a pathology lab, a legal firm. The incidents do not seem to be slowing down.
The uncomfortable explanation is that a lot of the extra spending isn’t buying much extra protection. It’s buying more tools. There’s a meaningful difference.
The sprawl problem
A mid-sized UK business will typically have thirty or forty security tools running at any given moment. Some are left over from previous IT leadership. Some were bought in panic after a close call or a peer’s incident. Some were bundled into Microsoft 365 E5 licences and never switched on. Some overlap with each other in ways that nobody has audited. The security operations team, if there is one, spends its days triaging alerts from systems that weren’t designed to talk to each other.
This is not a tooling problem. The tools are largely fine. Microsoft’s security stack in particular, Defender XDR, Sentinel, Purview, Entra, Defender for Cloud, has matured into something genuinely capable. The problem is that capability sitting in a portal nobody opens is not the same as protection.
The attackers know this. The growth industry in ransomware over the last three years has been what practitioners call “living off the land,” where the intruder uses legitimate administrative tools already present in the environment to move around undetected. When defensive tools are poorly configured, half-deployed, or generating so much noise that nobody looks at them, living off the land is trivially easy.
The Microsoft estate most organisations have forgotten they own
A large number of UK organisations sitting on Microsoft 365 E5 or E3 with security add-ons have already paid for security capabilities that could materially reduce their risk. Most of them are not using those capabilities properly. Conditional access policies that were set up years ago and never reviewed. Defender policies left on default settings. Sentinel deployed in demo mode with two or three data connectors and no serious detection content. Purview bought for compliance reasons and then never properly operationalised.
This is, paradoxically, good news. It means the investment has already been made. The capability is there. What’s missing is the configuration work, the tuning, and the operational discipline to actually extract value from it. Which is usually cheaper than buying another tool.
One UK partner’s breakdown of its Microsoft cyber security consultancy lays this out in reasonable detail, including the assessment work, the deployment of tools like Sentinel and Defender, and the governance layer through Purview. It’s worth treating as a checklist for what an organisation should expect from any external security review, not just a marketing page. If a proposed engagement covers fewer of these areas than the list suggests, that’s a question to ask.
SOC maturity is the part nobody wants to talk about
Having tools is one thing. Having a security operations centre that actually does something with the alerts those tools generate is another. A lot of UK organisations have bought themselves into a middle ground where they have too many alerts to process internally but not enough budget for a proper 24/7 internal SOC. They settle for a managed detection and response service, sometimes delivered by a firm that treats it as a volume game and responds to high-severity alerts within a contractual window that would make a security professional wince.
The honest assessment is that 24/7 monitoring, done properly, is expensive, and the reason it’s expensive is that it requires analysts who know what they’re doing, available at 3am on a Sunday. Cutting corners on this part of the operation is where a lot of organisations end up in the news.
What good looks like here is a small number of things done consistently: fast mean time to detect, faster mean time to respond, escalation paths that actually get people out of bed when they need to, and an ongoing tuning process that reduces noise over time rather than letting it grow.
The honest board conversation
If the question in front of the board is “are we spending enough on cyber,” the answer is almost always yes. If the question is “are we spending well,” the answer is more interesting and usually less comfortable. Most UK organisations would get materially more security from a ruthless consolidation of what they already own than from another round of tool purchases.
That conversation is harder to have than signing off a new line item. It’s also the one that actually moves the needle.
