Skip to content

Featured Search

Why fragmented cyber programs fail under pressure.

Tags

Cyber budgets are rising. Security stacks are expanding. Attacks are increasing year on year.

And yet, when incidents hit, many organisations still struggle to answer three basic questions:

What’s affected?

Who owns the response?

What proof do we have?

The uncomfortable truth is this: most organisations are not short of cyber controls. They are short of coherence. Tools multiply. Frameworks overlap. Evidence scatters. Ownership blurs. Under pressure, assurance becomes reconstruction.

 Fragmentation is now the quiet force multiplier of cyber risk.    

Attacks on organisations globally have risen by roughly 44% year-on-year.1 Meanwhile, breaches still take months to identify and contain.2

If this feels familiar, our new eBook, Too many tools, not enough truth, explores why fragmented cyber programs break down under pressure, and what decision-ready resilience really looks like.

Download the eBook

Cyber has changed, but operating models haven’t   

Cyber risk no longer behaves like an occasional IT problem. It behaves like a persistent operating condition.

Incidents are more frequent. Exploitation windows are shorter. Disclosure expectations are tighter. In the United States, the SEC now requires public companies to disclose material cyber incidents within four business days.3 NIS2 across the EU mandates early warning reporting within 24 hours of becoming aware of a significant incident.4

The narrative window has compressed.

At the same time, disruption increasingly extends beyond data theft. Configuration errors, third-party outages, compromised suppliers, and misconfigured updates can halt operations without a single line of malicious code being deployed. When critical services stall, leaders are not asked how sophisticated the attack was. They are asked whether the organisation is still operating, and whether it can prove it.

The World Economic Forum now consistently ranks cyber insecurity among the most severe global business risks5. Cyber has moved from technical nuisance to systemic concern.

The AI threat:

AI is adding another layer of acceleration. Attackers use it to scale phishing and automate reconnaissance. Employees use AI tools to move faster, sometimes outside approved governance boundaries. Shadow AI and agentic technologies introduce new exposure pathways that traditional dashboards were not designed to monitor.

The external environment has shifted decisively. The internal operating model often has not.

If incidents are now persistent, public and time-compressed, resilience cannot depend on heroic coordination.

The real failure mode: fragmentation    

 Cyber incidents rarely stem from a lack of tools. They stem from a lack of joined-up visibility into whether those tools are operating and what they cover.  

Thought leadership webinar on demand

“The scale and speed of cyber threats is fundamentally changed, and our fragmentation approach hasn't kept pace.”

Join Protecht’s Cyber Security Lead Mike Franklin and Head of Risk Research & Knowledge, Michael Howell to find out more.

Watch the webinar 

Large enterprises now operate an average of 45 cybersecurity tools6. Each produces data. Each has a dashboard. Each reflects part of the picture. But few environments connect risk, controls, assets, incidents, testing results and ownership in a way that converges on facts quickly.

Add multiple frameworks into the mix (ISO, NIST, SOC 2, DORA, CPS 230, internal standards) and the same control may be mapped, tested and described several different ways. Assurance becomes translation. Duplication becomes normalised. Spreadsheets become glue.

 Fragmentation multiplies harm because it slows the only thing that matters under pressure: convergence on a meaningful narrative for cyber risk management and reporting.   

When an incident lands, leaders need clarity. Not dashboards. Not tool counts. Clarity.

That clarity is achieved by answering three questions:

  • What’s affected?

  • Who owns the control or response?

  • What evidence can we produce right now?

In fragmented environments, answering those questions requires coordination across teams, inboxes, suppliers, and spreadsheets. Speed suffers. Confidence erodes.

China crisis

CrowdStrike reported a 150% rise in China-based intrusions in 2024, with financial services seeing increases exceeding 200%.7 In such an environment, coordination lag is no longer a minor inefficiency. It is exposure

Cyber programs break down fastest when information is scattered. In a crisis, confidence does not come from more dashboards. It comes from proof.  

When cyber becomes an operational resilience test 

The shift underway is not merely technical. It is structural.

Regulatory regimes across Europe, the UK, Australia and North America increasingly look at cyber disruption through the lens of operational resilience. The emphasis is no longer simply on having a framework. It is on staying within impact tolerances for critical services and demonstrating that governance operates under stress.

This reframing is important.

A supplier outage that halts customer transactions may not be a ‘breach’. A failed update that disables endpoints may not involve a threat actor. Yet both trigger the same executive and regulatory questions: Are we still operating? What is the impact? Can we prove control?

In tightly interconnected digital ecosystems, resilience extends beyond perimeter defence. It includes dependency mapping, third-party oversight, incident workflows, evidence capture and board-ready reporting.

Fragmented cyber programs struggle in this environment because operational resilience depends on connection. If controls, assets and owners are not clearly linked, disruption spreads faster than explanation.

 Cyber resilience is now inseparable from enterprise governance.      

What ‘good’ actually looks like    

Perfection is an expensive myth in cyber. Real resilience is more pragmatic.

It looks like clear ownership at the control level, not committee-level ambiguity. It looks like controls linked directly to assets and services so that dependency questions can be answered without guesswork. It looks like testing and evidence that work alongside one another.

In connected environments, one control has one accountable owner and one proof trail. When testing occurs, results update the broader assurance picture automatically. When incidents are logged, they link back to affected assets and mapped controls. When executives ask for an update, reporting translates technical posture into overall business impact.

AI and automation can accelerate detection and analysis. But they only reduce risk meaningfully when governance is connected. Automation applied to fragmentation simply speeds up confusion.

Good cyber governance does not replace security tools. It connects them to risk management, accountability, and defensible reporting.

It allows organisations to move from periodic assurance to continuous, provable resilience.

The cost of doing nothing  

Fragmentation rarely announces itself.

It does not trigger procurement alarms. It does not appear clearly in budget reports. It hides in duplicated controls, inconsistent mappings, and manual reporting effort.

Its impact becomes visible only when an incident forces the organisation to assemble a coherent account at speed. Then the organisation has to grapple with:

Delays in understanding exposure.

Uncertainty around ownership.

Evidence requests that trigger scrambles rather than retrieval.

Once confidence is lost with boards, regulators or customers, rebuilding it is harder than containing the technical issue.

The reputational dimension of cyber disruption now rivals the operational one.

This is not about more tools  

The instinctive response to rising threat levels is to add defences. More monitoring. More tooling. More frameworks. More layers.

But resilience does not scale linearly with tool count.

True cyber resilience does not come from adding complexity. It comes from connecting what already exists: controls to assets, assets to services, services to impact tolerances, and all of it to named ownership and retrievable evidence.

When incidents occur – and they will – leaders are judged on clarity, not volume.

  • Can you explain impact?
  • Can you demonstrate control?
  • Can you prove accountability?

If answering those questions depends on who updated a spreadsheet last, the issue is not threat sophistication. It is operating model design.

Our new eBook, Too many tools, not enough truth, explores how fragmented cyber programs undermine assurance, and outlines practical steps you can take to reduce duplication, strengthen ownership and build decision-ready resilience.

And if you are ready to move beyond fragmented cyber management, request a demo of Protecht’s integrated cyber risk solution to see how risks, controls, assets, incidents and evidence connect in one environment, delivering clarity when it matters most.  

Download the eBook Request a demo

 

References

 1) CheckPoint, https://blog.checkpoint.com/security/cyber-attack-trends-2024/  

2) IBM, https://www.ibm.com/reports/data-breach  

3) SEC, https://www.sec.gov/rules/final/2023/33-11216.pdf  

4) EUR-LEX, https://eur-lex.europa.eu/eli/dir/2022/2555/oj  

5) WEF, https://www.weforum.org/reports/global-risks-report-2024/  

6) Gartner, https://www.gartner.com/en/newsroom/press-releases/2025-03-03-gartner-identifiesthe-top-cybersecurity-trends-for-2025  

7)  CrowdStrike, https://www.crowdstrike.com/global-threat-report/  
Back to list

About the author

Mike Franklin has a long background in cyber security and risk governance. Prior to joining Protecht to lead our cyber risk team, he worked for multiple blue-chip organisations in banking, finance and tertiary education. Mike’s deep expertise helps Protecht customers to strengthen their cyber security, ISMS and third party/vendor risk management programs.

Connect with Author on Linkedin

You may also like