I Left Them Two Bottles of Prosecco and They Fixed Cybersecurity Without Me
I’m going to be honest with you, which is something I try to do regularly and which this week requires a particular variety of honesty.
I missed the podcast.
Something came up, I told the team to go ahead without me, I left what I considered a reasonable peace offering in the studio fridge, and I came back to find that Mauven MacLeod, Corrine Jefferson, and Lucy Harper had recorded what may be the most useful episode we’ve produced in months.
I listened to it on Wednesday morning. By the time I’d finished, I had filled most of a notepad and was experiencing a specific feeling that I can only describe as being furious at being correct about people I work with.
They were right. They were completely, infuriatingly right. And here’s why that matters.
The Bit That Landed
The episode is about overconfidence as a security vulnerability. Not overconfidence in the sense of arrogance. The quieter, more insidious kind: the confident-sounding phrases that organisations use to explain why the things on their security backlog are probably not as urgent as they appear.
“We’ve already got a tool for that.”
“Our environment is quite unique.”
“That finding was rated medium, not critical.”
“The dashboard looks calm.”
I have spent decades watching businesses say these things. I have watched them say these things and then, somewhere between three months and three years later, discover that the thing they were confident about was, in fact, the thing that brought them down.
What Mauven articulated better than I probably would have is this: these phrases are not the result of ignorance. They are the result of confidence. Confidence that sounds reasonable, gets nodded at in meetings, and prevents the organisation from doing the awkward, unglamorous work of actually fixing what it knows to be broken.
That distinction matters. If the problem were ignorance, the solution would be education. More Cyber Essentials posters. More awareness campaigns. More people like me talking at businesses about why they should care.
But the businesses that get breached aren’t, in the main, ignorant. They know the risk is real. The DSIT survey tells us that 58% of UK business leaders rank cyber breaches as their top risk this year. They know. They just have a story about why their specific situation is probably fine, and nobody with sufficient authority or cultural permission to challenge that story.
The Davina Problem
Lucy introduced a character during the episode called Davina from IT.
The premise was this: the junior engineer who spots the unpatched system, flags the excessive permissions, notices that a random application has access to client data, is frequently dismissed. Not because they’re wrong. Because they’re inconvenient. Because addressing what they’ve identified requires time, money, a conversation with a vendor, or admitting that something has been wrong for longer than is comfortable.
Davina filed the report. Twice. Raised it at three meetings. Was told it was theoretical. Stopped raising it.
And then, when the incident happens, everyone in the post-incident review is surprised that nobody flagged it sooner.
This is not a technology problem. I want to be absolutely clear about that. No amount of additional tooling addresses the Davina problem. The Davina problem is a leadership problem. It is a culture problem. It is the problem of an organisation that has trained its technically competent staff to understand that raising uncomfortable things does not produce action, and that the cost of being the awkward voice in the meeting is higher than the cost of staying quiet.
Until an attacker makes that calculation look very stupid indeed.
What I Would Have Added
I listened to the whole episode and I found myself with one addition to what the team covered.
The overconfidence problem is not evenly distributed across an organisation. It concentrates at the top.
The junior engineer is usually not overconfident about the state of the network. They can see the state of the network. The overconfidence sits with whoever is receiving their reports, interpreting them, and making the resource allocation decisions. And the higher up the organisation you go, the less accurate the picture tends to be, because the picture that reaches senior decision-makers has been filtered through layers of people who have learned that bad news is not well received.
This is a structural problem. The solution is not better reporting tools. It is a leadership culture that actively creates conditions for accurate information to travel upward without being softened, reframed, or filed under “we’ll revisit that next quarter.”
The businesses I’ve seen navigate incidents with minimal damage all have one thing in common: someone at the top who responds to bad news by asking what needs to happen to fix it, rather than asking who is responsible for the fact that it happened.
That sounds obvious. It is apparently quite rare.
The Uncomfortable Truth About Security Spending
Here’s the part that irritates me most about the overconfidence problem, because it is the part that makes the industry look bad.
Businesses are spending money on security. UK cyber spending has been increasing year on year. Certification rates are up. Tool adoption is up. The security industry has been very effective at selling the concept of security investment.
What it has been less effective at selling is the boring, unglamorous, difficult-to-package work that actually determines whether that investment produces outcomes.
Patch management. Permission reviews. Shadow IT governance. Concern-raising processes. These are not products. You cannot buy them and put them in a proposal. They require internal discipline, consistent attention, and a culture that rewards honesty over comfort.
The overconfidence problem is, in part, a product of the security industry’s own marketing. We have sold the idea that security is a technology problem with technology solutions. Then we are surprised when businesses purchase the technology and believe they have the solutions.
Mauven put it well: buying confidence is easier than building resilience. I’d only add that the security industry has been very good at selling the former while the latter is the only thing that actually works.
What I Think Should Happen Next
I want to give you something practical, because this being a reaction piece to a podcast doesn’t mean it should end without a specific ask.
This weekend: Listen to Monday’s episode if you haven’t already. The four questions Mauven poses at the end are worth writing down.
This week: Run the audit Graham outlined on Thursday. It is half a day. It requires no new tools. It will produce a list of things you already knew about but have been avoiding.
This month: Address one item from that list. Not all of them. One. The one that has been deferred the longest is usually the right one to start with.
And if you have a Davina in your organisation: someone who raises security concerns through proper channels, documents them carefully, and hasn’t been seeing those concerns actioned, I’d suggest having a direct conversation with them before the end of the week.
Not to apologise. To ask them what they think needs to happen. And then to actually respond to what they tell you.
On the Prosecco
For the record, Mauven described it as “reasonably priced.”
This is accurate. I had a budget. I stuck to it. Lucy called it “cost-optimised Prosecco,” which is, I’ll admit, an excellent phrase that I am probably going to use again.
The team is good. They covered a serious topic well, with appropriate precision from Corrine and appropriate human consequence from Lucy, and Mauven held the thing together with the kind of calm authority that I find both impressive and slightly unsettling.
I am, genuinely and unironically, proud of this episode.
I am also going to buy slightly better Prosecco next time so they don’t have material to work with.
How to Turn This Into a Competitive Advantage
Everything this week has been building to this point.
Most businesses in your sector are still managing the overconfidence problem by not looking at it. They have tools, a certificate, and a narrative about why their situation is probably fine.
If you have spent this week running the audit, reviewing the permissions, assessing the shadow tools, and creating a functional process for your team to raise concerns, you are ahead of the majority of your competitors. Not because you have better tools. Because you have a more accurate picture of your own security posture.
That accuracy is increasingly valuable. Insurers are asking for evidence of active management at renewal. Clients are asking security questions in supplier assessment processes. Cyber Essentials v3.3 goes live in April with tightened requirements. The Cyber Security and Resilience Bill is progressing through Parliament.
The organisations that have done the unglamorous work will be the ones that can answer these questions confidently and accurately.
Confident and accurate. Those two words belong together. This week was about making sure they do.
How to Sell This to Your Board
One sentence: the businesses that navigated this week’s headlines without incident are not the ones with the most tools. They are the ones with the most accurate picture of their own security posture.
Your board should be asking whether you have that picture. If you do not, this week’s content gives you a specific, low-cost process to obtain it.
Sources
| Source | Article |
|---|---|
| DSIT / UK Government | Cyber Security Breaches Survey 2025 |
| NCSC | Cyber Security: Board Toolkit |
| Infosecurity Magazine | Cyber Breaches, Compliance and Reputation Top UK Corporate Concerns |
| This week on the podcast | The Small Business Cyber Security Guy — Confidence Is Not a Control |
Related Posts:
- Confidence Is Not a Security Control — Monday’s Podcast
- The Overconfidence Tax — Tuesday’s Deep-Dive
- The Warning Nobody Acted On — Friday’s Case Study
- What Are We Pretending Is Fine? — Thursday’s Guide