vCISO Explainer Part 2 - Cyber Tools vs Cyber Risk: Why “Good Security” Can Still Mean High Exposure

There is a phrase that comes up in almost every conversation about cyber risk with business leaders: 'We've got that covered.'

Usually, they mean it sincerely. There is a managed service provider looking after the infrastructure. There is antivirus software. There might be a firewall, an email filtering tool, and a monthly security report. The organisation has done the reasonable thing and invested in protection.

And yet a significant number of those same organisations are carrying risk they have not identified, let alone managed. Not because the tools are failing — but because tools and risk management are two different things.

The Problem

Security tools are designed to do specific jobs. An endpoint detection product monitors devices for known threat signatures. A firewall filters network traffic. An email security gateway catches most phishing attempts. Each one is valuable. None of them, individually or together, constitutes risk management.

Risk management requires someone to ask a different set of questions: What could go wrong in ways our tools won't catch? What is the business impact if it does? Who is responsible for ensuring the answer stays acceptable?

Consider a professional services firm with 80 employees. They run Microsoft 365, have Defender configured, and use a reputable MSP for monitoring. Their tooling is solid. But their finance director has been granted global admin rights to the Microsoft environment — a convenience arrangement that was never reviewed. A business email compromise attack targets her account. The attacker does not trigger an alert because the behaviour, viewed in isolation, looks legitimate.

The tools were not wrong. The risk was simply not on anyone's radar.

The Consequences

The gap between 'we have security tools' and 'we manage security risk' has concrete consequences.

Cyber insurance claims. Insurers increasingly distinguish between organisations that have tools and organisations that have governance. A claim where the insurer finds no documented risk management process, no ownership of key risks, and no evidence of board-level oversight is a claim that may not pay out in full — or at all.

Regulatory exposure. The ICO does not investigate your tool configuration. It investigates whether you took reasonable steps to protect the data you hold and whether appropriate governance was in place. Technical controls are necessary. They are not sufficient.

Board liability. Under the Companies Act and evolving cyber governance expectations, directors are increasingly expected to have exercised reasonable oversight of material risks. Cyber risk is material for most organisations. Relying on a technical report to discharge that responsibility is a fragile position.

What This Is

False confidence is a specific risk in its own right. An organisation that believes it is protected, because it has tools, is less likely to identify and address the exposures that sit outside those tools' coverage.

Most cyber incidents do not happen because the security technology failed. They happen because of something human: a misconfigured permission, a process that was never reviewed, a vendor with excessive access, a password policy that looked fine on paper but was not enforced in practice. Tools do not catch what they are not configured to look for, or what they are not capable of seeing.

Why It Matters

The distinction between security controls and risk management is the central one this series keeps returning to. Controls reduce the likelihood or impact of specific threats. Risk management is the ongoing process of identifying what your organisation is actually exposed to, deciding what is acceptable, and ensuring someone is accountable for managing what is not.

You can have excellent controls and poor risk management. Most SMEs do.

The reverse — strong risk management, moderate controls — is arguably the safer position. An organisation that understands its risk exposure can make conscious, informed decisions about where to invest and what to accept. An organisation that has invested in tools but has no governance function is flying blind with good instruments.

How We Can Help

Understanding where your tools end and your risk begins is the first step. ITbuilder's vCISO service maps your current security investments against your actual risk exposure — identifying the gaps that no amount of tool reporting will surface on its own. The next article in this series looks at Cyber Essentials specifically: what it covers, what it doesn't, and why so many organisations treat it as a destination when it is actually a starting point.

Check out our Cyber-security Posture Review to see how you align to Cyber Essentials best practices.

Questions and Answers

We passed our Cyber Essentials assessment last year. Doesn't that mean we're protected?

Cyber Essentials confirms that five specific technical controls are in place at the point of assessment. It is a minimum baseline standard, not a measure of your ongoing risk posture. Article 3 in this series addresses this in detail.

What does a tool actually miss that risk management would catch?

Typical examples include: privileged accounts with no review process, legacy systems excluded from the main monitoring scope, third-party suppliers with excessive access, business processes that create risk that no technical control prevents, and risk that emerges from growth or change that the original tool configuration did not anticipate.

Isn't our MSP responsible for risk management?

Your MSP is responsible for the operational scope you have contracted with them. Most MSP contracts cover monitoring, response, and maintenance. None of them make the MSP accountable for your organisation's risk posture. That accountability sits with your board, whether it is actively exercised or not.

How much risk is acceptable?

That is a governance question, not a technical one. Every organisation has a risk appetite — the level of risk it is willing to accept in pursuit of its objectives. Most SMEs have never articulated one. Articulating it is one of the first things a vCISO does.

Can we just ask our MSP to run a risk assessment?

A point-in-time risk assessment is useful. But it is not the same as ongoing risk management. The assessment tells you where you are today. It does not ensure someone owns the outcome, updates the picture as the business changes, or reports to the board on what has changed.

Summary

Security tools and cyber risk management are related but distinct. Having one does not guarantee you have the other. Most organisations with managed services and technical controls have covered the operational layer of security well. The governance layer — risk identification, ownership, and board-level accountability — is where the gap tends to sit.