At a recent security conference, Tom Miller – who heads Assurance at AMR CyberSecurity — Part of Infinum and spent years leading cyber operations inside the UK government and with major organisations in the UK – made an observation that landed differently from the usual cybersecurity warnings.
He had spent a decade working with organisations that looked, on paper, completely secure. They had the certifications, the frameworks, and annual phishing exercises.
And yet, in nearly every case, he found a gap. Not necessarily a gap in the firewall or in technology – a gap between what the organisation thought was true about its security posture and what actually was.
That gap is what he calls being “secure on paper.” And it’s where the most interesting, and most costly, breaches happen.
The certification trap
Here’s a common scenario: a business pursues a cybersecurity certification. The teams work hard to implement controls, document processes.
Finally, they get the badge. Everyone celebrates. The business goal was achieved.
Then the work stops.
The badge gets framed on the office wall, and quietly, the machinery that earned it begins to decay. Patches slip, policies become stale, and the certification is maintained in name only, renewed through a box-ticking compliance audit, not through genuine practice.
The problem is not that certifications don’t matter. They do. They force organisations to think systematically about security and implement baseline controls. The problem is what happens after you get one.
A certification is not a destination. It is proof that you met a standard at a point in time. The moment the auditor leaves, maintenance becomes your job – and maintenance is where most organisations fail.
This is especially dangerous because certifications create a false sense of security.
Stakeholders see the badge and assume the business is secure. Management can point to it in board meetings. Customers trust it. But the badge is not the same as the work that earned it. And if you stop doing the work, the security erodes while the badge stays on the wall.
The hard truth: you cannot be 100% secure, and no certification will ever change that. What you can do is maintain a system that allows you to manage risk intelligently, understand where you are exposed, and respond when something goes wrong.
Yes, you are a target
This is where many organisations, especially smaller ones, get the logic wrong.
“We’re not Netflix. We’re not a Fortune 500 company. Why would anyone target us?”
The answer is simpler and more urgent than you think: you have value – to attackers, definitely.
That value might be your proprietary data. It might be the relationships you hold with customers. It might be your credentials – your staff – that give an attacker a foothold in your system. It might be your business processes themselves, which can be interrupted for ransom.
But here’s the critical insight: you may not be the final target at all. You may be the avenue. A supply chain attack, a zero-trust breach, a lateral movement from one trusted partner to another – attackers often work through smaller, less-defended businesses to reach larger ones.
The traditional assumption was that attackers target only high-value targets. In reality, attackers target whoever is easiest to breach. And smaller businesses, with fewer security resources and simpler defences, are often the path of least resistance.
This is not scaremongering, it is a probability. The question is not if you will be targeted. It is when. And the only thing you control is how well-prepared you are when it happens.
The phishing exercise is not enough
Security awareness training is essential. Annual phishing exercises are a standard control. But Tom has watched organisations treat these exercises as if they were the entire security program.
“We’re fine. Everyone passed the phishing test.”
The problem is two-pronged.
First, a poorly designed phishing exercise – one that treats the whole thing as a “gotcha” rather than a genuine learning moment – can breed resentment among staff.
Employees start to treat security as something IT is doing to them, not something they are doing for themselves. When that happens, security becomes a compliance burden, not a cultural value.
Second, phishing training alone does not inoculate an organisation against the sophisticated social engineering attacks that actually breach companies.
A real attacker does not send mass phishing emails. They study your business, your staff, your communication patterns. They research your leadership team. They craft highly targeted messages that reference real projects, real relationships, real reasons to click a link.
The training that matters is not just the annual exercise. It is the ongoing communication that security is everyone’s job, that mistakes happen, and that reporting an incident – even a small one – is always the right call.
Naturally, this only works if the organisation makes it psychologically safe to report.
Organisations that create a culture of fear around security incidents end up with unreported breaches. The incident happens, someone makes a mistake, something gets through – and they stay silent out of fear. The breach goes undetected longer, and the final damage is worse.
Security training is an investment in a culture where people understand the threats and feel safe reporting when something goes wrong.
The danger of assumptions
The most important lesson is this: “One of the most dangerous vulnerabilities in any organisation, network, or system isn’t a flaw in the code or a weak password. It’s an assumption.”
Organisations assume that patches are applied, that employees are vigilant, that data is encrypted, that access is authorised, and that partners and suppliers are secure. They assume that because nothing has visibly gone wrong, nothing will go wrong.
Attackers exploit unverified assumptions. They find the patch that was never installed. The access that was never revoked. The password that was never changed. The data that was never encrypted. And they do not announce their presence until it is far too late.
The first step in any security engagement is identifying these assumptions and verifying them. What do you actually know about your network? What are you only assuming?
This is where penetration testing becomes invaluable. Not as a checkbox audit, but as a reality check.
A penetration test walks through your environment the way an attacker would, and tests the assumptions your security team is making. Can we really not get past the firewall? Can we really not escalate privileges once we are inside? Can we really not access the data we are supposed to be protecting?
Often, the answer is no. The assumptions were wrong.
Know your crown jewels
Before you can protect something, you have to know what you are protecting.
Tom uses the metaphor of the Tower of London.
The crown jewels are what you cannot afford to lose—the critical assets your business needs to operate. The first security engagement always starts with the same question: What are your crown jewels? Where are they? Who has access to them? What would happen if they were compromised, stolen, encrypted, or deleted?
Once you identify your crown jewels, you can apply Defence in Depth. You secure the keep. You build walls around the keep. You dig the moat. You place guards. Each layer is designed to slow an attacker down and increase the chance they are detected and/or deterred.
This also means establishing your risk tolerance. How much risk is your business willing to accept? If you cannot afford to lose a system, then that system needs to be protected accordingly. If you can afford some downtime, then your approach can be different.
Too often, organisations approach risk management differently depending on who identifies the risk. One team prioritises customer data. Another prioritises uptime. Another prioritises intellectual property.
They cannot agree on what is critical to the business, which means they cannot agree on how to protect it.
The organisations that manage risk effectively start by documenting and agreeing on the fundamentals: what are we protecting, and how much risk can we accept?
Once that agreement exists, you can make uniform, robust decisions about risk management.
Zero trust as a mindset, not a gadget
The term “Zero Trust” has become a technology marketing phrase.
Buy this firewall, this identity platform, this data loss prevention tool, and you will “have” Zero Trust.
This fundamentally misses the point.
Zero Trust is a mindset. It is the principle that you should not implicitly trust anything – whether it is inside your network or outside.
Before you allow access to something, you verify who the entity is. You verify they have a reason to access the data. You challenge them if they want to elevate their rights. You require authorisation to download or move sensitive information.
For decades, the security model was: if you are inside the network, you are trusted.
This meant that attackers only needed to breach the perimeter – to get inside the firewall – and they were treated as trusted entities. They could move laterally, escalate privileges, and access data with minimal friction.
Zero Trust inverts this. Instead of basing trust on location (inside or outside), you base trust on identity and authorisation. Who are they, and why are they here? This applies to employees, contractors, third-party systems, cloud services – everyone.
Technology matters, but technology without the mindset is just another box on the shelf. Likewise, the mindset without technology is not enough. Both are required, but the mindset comes first.
The IT department is not responsible for security
This is the most persistent misconception Tom encounters.
“We have an IT team. They handle security.”
Here’s the problem: IT and security have fundamentally different objectives. IT’s job is to support the business in achieving its goals as fast and as cheaply as possible through the use of technology. Security’s job is to achieve those same goals in a secure manner – which is often slower, more costly, and more constrained.
Put the Head of IT in charge of both, and you’ve created an impossible situation. They are being asked to hold two conflicting objectives at once.
Now, the reality is that in many smaller organisations, this is exactly what happens. Resources are limited. A single person or team has to wear both hats. When this is unavoidable, there is one critical condition: top management must understand security and actively support it.
Security cannot be delegated to IT and then forgotten. It requires leadership attention. It requires risk-based decision-making. It requires someone in the room willing to say: “This technical decision has a security cost. Are we willing to accept that risk?”
Top management – the board, the C-suite, the people who can accept risk and make decisions – are the only ones who can resolve the conflict between speed and security. If they do not, the Head of IT will always choose speed, because that is what the business visibly rewards.
Security is a practice, not a project
Here is the closing insight from Tom’s experience: “Security isn’t a project with a completion date. It isn’t a box you tick and move on from. It’s a practice. Like any practice, it only works if you keep doing it.”
A project has a start, a plan, and an end date – you complete it and declare victory.
This is how many organisations approach security: they hire a consultant, run a penetration test, implement the findings, and declare the engagement complete.
But security is not a project.
A penetration test is a point-in-time assessment. It tells you what vulnerabilities existed on the day of the test. It does not tell you what vulnerabilities may exist tomorrow. New code has been deployed. New staff have been hired. New systems have been integrated. New threats have emerged.
Security is a practice. It requires continuous attention. It requires a culture where security is not someone else’s job – it is everyone’s. It requires processes for ongoing training, incident reporting, patch management, and risk assessment. It requires leaders who take it seriously and employees who feel safe raising concerns.
The organisations that are actually secure – not just on paper – treat security as a permanent part of how they operate. They maintain their certifications by continuing to do the work that earned them. They stay alert to changing threats. They test their assumptions. And finally, they learn from incidents and improve.
The gap is what you are missing
So. Are you secure on paper?
Maybe. Probably, even. You have the certifications, the policies, the annual exercise, the IT team holding everything together.
But here is what Tom’s decade of working with organisations has taught: the gap is never where you are looking. It is in the assumption you forgot to question. The access nobody thought to revoke. The patch that did not quite get applied everywhere. The incident nobody felt safe enough to report. The policy that was written and then quietly forgotten.
Security on paper feels safe. And that is precisely why it is dangerous.
The organisations that are actually secure do not stop at the badge. They maintain the work. They verify the assumptions. They make it safe for people to report mistakes. They treat security as a continuous practice, not a completed project. And they understand that the difference between looking secure and being secure is not a matter of technology or policy. It is a matter of culture, discipline, and attention.
The attackers are not looking at your policies. They are looking at the gap between what you think is true and what actually is.
So don’t be secure on paper. Verify it.
Moving from secure on paper to actually secure
The organisations that close the gap between looking secure and being secure all start with the same foundation: they know what they’re protecting, they understand their risk tolerance, and they’ve built a continuous practice around security maintenance.
That foundation is governance and risk management.
At AMR — Part of Infinum, we help organisations move beyond the badge. We work with teams to map their critical assets, establish risk frameworks, document their security posture, and build the institutional practices that keep security active, not just achieved.
Explore our Governance, Risk & Compliance services and learn how to turn security from a compliance checkbox into a sustained business discipline.