Pragmatist vs Purist - Cyber Security
Ben Robinson is one of our most respected and sought-after associates, having worked with us on various clients and projects since 2018.
Although his formal involvement with Platform Smart began in 2018, Ben has been a close connection for much longer, having known many members of the Senior Team for over 20 years. Personally, I worked closely with him during Platform Smart’s Architecture and Governance Service for one of the UK’s leading airports, where I witnessed his vast knowledge of technology, particularly in cybersecurity.
I recently caught up with Ben to discuss the topic of pragmatism vs. purism, and the common pitfalls technology purists encounter when delivering cyber initiatives within organisations.
Introduction by Stephen Cox
Stephen: Can you explain what you mean by "Pragmatist vs Purist" in terms of IT security?
Ben: I see this distinction frequently with customers, and I experienced it earlier in my career. It's easy to design an idealised, perfect security architecture, forgetting that it must be implemented, maintained, and actually deliver business value. The reality of ‘business’ forces you to abandon these purist approaches because they often don’t address practical needs such as low total cost of ownership or user value. That’s when pragmatism and balance become necessary.
In security, you often see a maturity-based approach where companies aim for broad goals—like encrypting 80% of their data by 2025 or ensuring 99.95% uptime. However, no one stops to ask: Which data needs encryption? Which services require such high availability? This leads to unnecessary spending on security measures for areas where the risk is minimal, rather than focusing on reducing the big risks.
Stephen: Is cost a major factor in achieving the gold standard? How do companies determine how much to spend on security, especially when architects suggest a whole range of solutions?
Ben: That’s exactly it—a risk-based approach is key. Businesses exist to create value, and risk represents potential negative value. To invest appropriately in mitigating risk, you need to understand the value at stake. For example, there’s no point in spending £10,000 to mitigate a risk that would only cost £5,000 if realised. But if the risk might cost £1,000,000, spending £10,000 is a wise investment with a great payoff.
Many businesses struggle to quantify risk or even define it properly. I often hear about “cybersecurity risks” or “technical risk registers,” but these are really business risks viewed through the lens of technology. Whether it’s loss of data or system downtime, these risks have financial consequences like regulatory fines or reputational damage. Defining risks in business terms helps people make informed decisions.
I also see confusion between risks, threats, and vulnerabilities—even from senior leaders. Cybersecurity is about mitigating threats and closing vulnerabilities. Theoretically, if you had no vulnerabilities, threats wouldn’t matter because they couldn’t exploit anything. Understanding these distinctions is crucial for meaningful conversations about risk.
Stephen: How do you quantify risk financially?
Ben: Cybersecurity professionals use a formula called annualised loss expectancy (ALE). It calculates potential loss based on the value of the asset and its exposure to risk. For instance, if you have a data centre worth £10 million in an earthquake zone, you might estimate that only 50% of the data centre would be damaged in an earthquake. That reduces your single loss risk to £5 million. Then you consider how often earthquakes occur—if it’s once every 100 years, the annualised loss expectancy of the risk becomes smaller, due to the financial impact being spread across that period. You can then determine how much to invest per annum in mitigating that risk.
The key is to avoid spending more on mitigation than the potential cost of the risk itself. This is a challenge because certain risks, such as data loss from a ransomware attack, are harder to predict. The frequency and impact vary across organisations, and those who pay ransoms are often targeted again because they are seen as easy prey, so there’s no ‘one size fits all’ answer
Stephen: How frequently do ransomware attacks occur?
Ben: They happen constantly. Ransomware attacks are ongoing as we speak. The challenge is determining how often it will affect a specific business. There isn't a lot of historical data to rely on because ransomware, as a major threat, is relatively new. The frequency is increasing as attackers find more effective ways to monetise it—ransomware-as-a-service, for example. Unlike natural events like earthquakes, where we can estimate occurrence, we don’t have particularly accurate measures for risks arising from ransomware attacks yet. This uncertainty is something businesses struggle with.
Stephen: In larger companies, there’s often a divide between IT and the rest of the business. Many see them as separate entities even though most new successful companies today are tech-driven. How do you break down this divide from a security perspective?
Ben: This is a common issue. IT is an integral part of any business today—no company can operate without it. However, many businesses still view cybersecurity as an IT problem because it protects technical assets. However, cybersecurity is a business issue. Risks should be framed in business terms, which helps break down these silos. By labelling them “business risks” rather than “IT risks,” they get the attention they deserve at the board level.
To bridge the gap, IT and business stakeholders need to collaborate. IT must serve the business by providing value, not creating unnecessary barriers with excessive controls. On the other hand, business stakeholders need to understand IT’s requirements, especially around security. For example, businesses often seek agility through cloud adoption, but outdated change control processes can slow this down. We need to move away from those old approaches to allow IT to deliver value efficiently, whilst keeping risk within organisational tolerance.
Stephen: So, if too many barriers are put up, business leaders might become more focused on bypassing them, which could actually lead to weaker security.
Ben: Exactly. A great example of this is password policies. For years, we thought complex, frequently changed passwords were secure. But in reality, people end up writing them down or using simple tricks like incrementing a number—making them easy targets for password-spray attacks. The best password is one that’s memorable. Simpler solutions, like the three-word password recommendation from NCSC, are more secure and user-friendly. It’s a classic case where overly complicated controls can lead to worse outcomes.
Stephen: What should every small to medium-sized business have as a minimum level of security?
Ben: The most effective investment is awareness training. We've spent decades improving technology—things like HTTPS, TLS, and IPSec. But none of that protects against phishing, which remains the easiest way to compromise a human. Once that human and their associated credentials are compromised, the attacker will pass through other controls unchecked.
Ben: I think where things are heading, due to the sheer volume of threats, is towards leveraging AI. For example, the company I work for processes in excess of 70 trillion signals daily—far more than any human could process. We've already seen the shift towards machine learning, and now the evolution is AI. AI helps augment Security Operations Centers (SOCs) because there's a shortage of cybersecurity skills. You’ll never have enough SOC analysts, so you need AI to handle repetitive tasks, letting analysts focus on more strategic activities. Many big security companies are already using AI in this way.
However, there’s a flipside. We know from history that attackers will use the same tools against you. Just as defenders are turning to AI, so will attackers. It’s an arms race, like in other areas of cybersecurity.
Stephen: Let’s talk about security accreditations, especially ISO 27001. It’s often seen as the gold standard for getting into any business and passing procurement checks. But there’s a growing sentiment that it might not be as secure as it seems and that companies can “risk accept” large parts of the framework. What’s your view on this, and what would you recommend as a secure accreditation?
Ben: ISO 27001 is a solid standard. It requires companies to implement an Information Security Management System (ISMS) that aligns with the standard, with 27002 providing guidance on controls. But the effectiveness of this standard depends on how it's implemented. The audit process checks both the existence of processes and whether those processes are being followed.
That said, ISO 27001 is not inherently a risk management framework. As you pointed out, companies can “risk accept” many of the controls, depending on their risk tolerance. For example, a startup might prioritise speed to market over strict security controls because failing to launch their product quickly could be a bigger risk than not having certain controls in place. The key is aligning the standard with the company’s risk tolerance and business goals.
You also need to consider the nature of the information you're protecting. When we talk about security, we focus on the CIA triad: confidentiality, integrity, and availability. Some information may require high confidentiality but not high availability, while other data might need to be highly available but not confidential. We don’t protect the canteen menu in the same way we do the HR database.
One of the biggest fears nowadays is that if I can impersonate you, I can bypass all your security controls. However, there are some limits. Administrators are especially vulnerable. Here's an example: an attacker aims to execute a ransomware attack by phishing someone in a large organisation. The person they initially phish might not have privileged access, but once they compromise that user, they gain a foothold on the network. From there, the attacker will analyse the environment and move laterally, stealing credentials as they go.
They move laterally because many workstations share administrative accounts, making it easy for the attacker to exploit typical network communications. Their ultimate goal is to escalate their access, usually by targeting jump servers where high-value administrative credentials reside. If they succeed, they can harvest those credentials from memory, elevate privileges, and aim for domain dominance, this being sweeping control of Active Directory, which is common in enterprises.
Attackers don’t necessarily want to control the domain itself; they know that achieving domain admin status gives them access to virtually all the information they need. Once they have this access, they may steal or threaten to publish data, or simply deploy ransomware through a group policy, encrypting everything in the environment. Victims may then have to pay a ransom, typically in Bitcoin, with no guarantee the data will be decrypted.
These attacks succeed due to poor credential hygiene, including at the administrative level. Attackers count on the fact that most organisations don’t properly manage their environments. However, certain measures, such as multi-factor authentication (MFA) and privileged identity management (PIM), can slow them down. For example, requiring a service ticket and time-bound access for admin privileges can prevent unauthorised elevation.
One of the most effective defences is the use of privileged access workstations (PAW). These workstations do not run productivity tools and are specifically designed for administrative tasks. By preventing them from accessing untrusted apps and sites, or downloading emails potentially carrying malware, and ensuring strict, ring-fenced administrative channels, you mitigate the risk of these workstations – and the administrative accounts used on them - being compromised.
Another key rule is to never use your regular productivity account for administrative tasks, as the credentials for that account can be easily stolen. You should also avoid syncing admin accounts from on-premises to cloud directories, as this creates a pivot point for attackers to move from the on-premises environment to the cloud.
If your administrative controls are well-implemented, even if the broader environment is compromised, you can recover because your admins remain protected. Every serious breach I’ve encountered involved compromise of the administrative tier, usually due to poor credential hygiene or violations of these core principles.
Stephen: We’ve talked about money being a primary motivator for attackers. Is that the only reason behind the recent surge in cyberattacks, particularly since COVID, or are there other factors?
Ben: While money is a significant motivator, it’s not the only one. It's no surprise that financial gain drives many actions, and ransomware has become a big business for organised crime. Gone are the days of lone hackers in basements. These attacks are often orchestrated by well-funded, organised criminals aiming to make money.
However, other motivations exist. For instance, activist groups often target specific industries for ideological reasons. A bank might be more concerned about attacks that disrupt their payment systems, which are financial risks. Meanwhile, an aviation company may be more vulnerable to activist-driven attacks like website defacements, due to the conflict between their operations and environmental activism.
As more industries automate, new threats emerge. For example, there’s growing concern about the cybersecurity of automated vehicles. Standards like UN R155, which is similar to ISO 27001, are being developed to safeguard the cyber aspects of automated vehicles. An attacker might not even be financially motivated but could cause chaos by forcing a malicious update to disable cars, as many vehicles now rely on over-the-air updates. Some people would view this as a fun or malicious activity, even if there's no monetary gain involved.
So, organisations must identify the unique risks they face, whether financial, activist-driven, or technical, and tailor their defences accordingly. Different attack types require different controls, depending on the motivation and methods used.
stephen cox
Head of Operations, PMO & Marketing
LinkedIn
To find out more about this article or our experience in the Technology market get in touch.
Get In Touch →
