Six Years On: Are Cyber Controls Still a Waste of Money?

Published in Technical Blog, 2026

Six Years On: Are Cyber Controls Still a Waste of Money?

Notes based on a BCS ISSG talk by Andy Evans, revisiting a provocative claim from six years prior: organizations often spend money on cyber controls that make them feel safer rather than actually safer. The problem was never the technology — it’s accountability and governance.

The Endless Arms Race

Security measures are perpetually reactive. Using car theft as the metaphor: every control — steering locks, immobilizers, Faraday pouches — eventually gets bypassed, forcing a new defense. The cycle never settles into equilibrium.

Conditions Have Deteriorated

Since the original talk, things have gotten worse, not better. Prevention is now effectively impossible, software supply pipelines themselves are compromised, legacy systems have aged further into liability, and AI has lowered the barrier for less-skilled attackers to build sophisticated tools.

Real-World Failures

Hospitals reverting to pen-and-paper during cyberattacks, and medical facilities disabling WiFi outright, show how quickly digital failure cascades into operational chaos.

AI’s Double Edge

AI can strengthen defenses, but ungoverned AI adoption just recreates the risks it promises to solve — illustrated by fabricated KPMG case studies making the rounds as cautionary tales.

The Real Problem Is Accountability

The issue was never purely technical. Without real consequences for leadership when the basics fail, security spending stays ineffective regardless of how sophisticated the tooling gets.

Unglamorous Solutions

The prescription hasn’t changed: strong governance, continuous training, disciplined asset management, robust identity systems, offline backups, and treating security as an ongoing practice rather than a completed project.

Conclusion

Cyber controls aren’t inherently wasteful — poorly governed, checkbox-driven controls are. What determines the outcome is whether leadership actually owns the risk and accepts consequences for failure.

Read the full article on Medium: Six Years On: Are Cyber Controls Still a Waste of Money?