What Should Our Cyber Security Goal Be?

For many SMEs, one of the first cyber security questions is how to define a clear and realistic objective. In this article, Geoff Poulter, AJC’s Cyber Security Expert, looks at how organisations can set a meaningful direction and build security maturity over time.

For a small or medium-sized organisation, cyber security often begins with a fundamental question: what should the organisation actually be working towards?

Not in purely technical terms, but in practical ones. What does good look like? What are clients expecting? And how much is enough?

There is no single answer to that question. That uncertainty is often where organisations either overreach or fall short.

Some pursue a clearly defined target and assume that, once it has been achieved, the problem is solved. Others keep things informal, addressing risks as they arise without ever establishing a clear direction.

Neither approach is especially effective.

The Trap of a Fixed Goal

A common pattern is to adopt a recognised framework or baseline and treat it as the end point.

For example, many UK SMEs work towards Cyber Essentials. It is accessible, widely recognised and often requested within supply chains. It gives organisations a practical way to demonstrate that core controls are in place.

It can add real value.

It helps ensure that fundamental protections such as secure configuration, access control and patch management are considered and implemented. For many smaller organisations, this represents a significant improvement on having no formal structure at all.

The problem arises when that becomes the goal rather than the starting point.

A Real-World Pattern

There have been multiple cases highlighted by the National Cyber Security Centre in which organisations with baseline controls in place were still compromised by relatively simple attacks such as phishing or credential theft.

In one widely discussed example, an SME with recognised baseline protections in place suffered a breach after an employee’s credentials were compromised through a phishing email. The attacker did not need to bypass technical controls. They logged in using legitimate access and moved through the business unnoticed.

What failed was not the existence of controls, but the assumption that those controls were sufficient.

The organisation had achieved its goal on paper, but the reality of how people, systems and attackers interact had moved beyond it.

Broader UK data also shows how exposed SMEs remain. According to the Cyber Security Breaches Survey, 43 per cent of UK businesses experienced a breach or cyber attack in the last 12 months, rising to 67 per cent for medium-sized organisations.

What This Tells Us

This is not a criticism of frameworks themselves.

Baseline standards are useful. They create structure, reduce obvious weaknesses and help organisations take the first step towards maturity.

The issue is how the goal is defined.

If the goal is simply to achieve a framework, the result is often a static level of security within a dynamic threat environment. Controls may be implemented, but not always tested. Risks may be documented, but not always revisited.

Attackers, meanwhile, continue to adapt.

A More Useful Way to Think About It

For organisations like yours, the more useful objective is not a single milestone, but a continuing process of improvement.

That process begins with structure. Policies that reflect how the business operates. Processes that define how decisions are made. A clearer understanding of where risks actually sit.

From there, the objective becomes one of steady improvement.

Gaps are closed over time. Controls are refined as the organisation grows. Confidence is built that what is written is actually happening in practice.

Just as importantly, the organisation develops a better understanding of how it would respond if something went wrong, rather than simply how it appears when everything is working as intended.

How This Changes With Size

The shape of that objective changes as the organisation grows.

In a smaller organisation, the focus is often on bringing the basics under control. Moving away from informal practices towards something more consistent. Meeting client expectations without overcomplicating the business.

At this stage, progress is usually incremental and pragmatic.

In a medium-sized organisation, expectations increase.

There is more scrutiny from clients and suppliers. Greater reliance on systems and data. More need to demonstrate that controls are not only in place, but operating effectively and being maintained over time.

The conversation begins to shift from:

“We are doing the right things”

to:

“We can show that they are working”

The Subtle External Pressure

One of the biggest influences on a cyber security objective is often external rather than internal.

Clients want reassurance. Suppliers want confidence. Increasingly, they are looking for signs that an organisation has reached a recognised level of maturity, even where they do not define that expectation explicitly.

Understanding those expectations, and how they apply to your organisation, is often more important than selecting a specific target too early.

So What Should the Goal Be?

It should be clear enough to guide decisions, but flexible enough to evolve.

It should move the organisation towards recognised good practice without becoming dependent on a single milestone.

And it should reflect how the organisation actually operates, not simply how it appears on paper.

Most importantly, it should leave room for improvement.

Because in cyber security, standing still often amounts to falling behind.

The Reality Behind the Question

The organisations that get this right rarely define their objective in a single sentence.

They build it over time. They adjust it as expectations change. And they recognise that what is appropriate for their size today may not be enough tomorrow.

That is where the real challenge usually sits.

It is also where the need for clearer direction and better-informed decisions becomes most obvious.

How AJC Can Help

AJC helps organisations define realistic, proportionate cyber security objectives that reflect how the business actually operates. We support clients in building structure, improving controls and making informed decisions about the standards, frameworks and practical steps that will strengthen security over time.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Image accreditation: Allison Saeng (November 2023) from Unsplash.com+. Last accessed on 6th May 2026. Available at: https://unsplash.com/photos/a-padlock-on-a-wall-with-a-blue-background-1hxZgpkP1xU