Cyber Security: Are You Really Protected… and How Do You Know?

  • Written by: ImprovIT Consulting Limited
Cut through cyber complexity with benchmarking that reveals your real maturity, spend, risks and priorities, helping you build a balanced, resilient security environment.

Cyber security is one of those topics everyone agrees is important, yet most organisations still struggle to answer the basics:

  • How secure are we?
  • Are we spending the right amount
  • Do we have the correct number of resources and skillsets?
  • How do we compare to similar organisations?
  • Where are we still exposed?

With threats rising, tools multiplying, and budgets under pressure, gut feel isn’t enough anymore. You need evidence.

Cyber Spend Is Rising, But Not Always in the Right Places

In our article Do you know how much you’re spending on cyber security? Could it be too much?, we highlighted how security budgets are being squeezed from all sides.

CIOs feel the pressure of increasing threats. CFOs ask for savings. CISOs fight for more investment. Meanwhile, hidden costs accumulate through legacy systems, overlapping tools, and the amount of staff effort required, often without being recognised. This is where IT transparency becomes invaluable. Understanding the true cost and impact of your security environment is the first step to building a security capability that’s effective, efficient, and fit for purpose.

How Do You Compare to Your Peers?

From our extensive IT benchmarking work, we see cyber spend vary hugely, from 3.5% to 18.4% of the total IT budget.

Why the difference?
Industry, maturity, supplier models, operational technology, complexity… and most importantly, how organisations classify “cyber”.

Without independent IT benchmarking, it’s almost impossible to know whether your spend and controls are appropriate for your size, sector, and risk profile. Many organisations still ask:

Are we spending enough? Are we spending too much? Are we spending in the right places compared to peers?

Supply-chain risk is now unavoidable because so much security depends on third-party services. This makes effective IT sourcing and supplier management critical.

Are You Focusing on the Right Things?

Some organisations overspend but remain exposed. Others spend less but are surprisingly resilient.

This is because cyber effectiveness isn’t just about how much you invest, it’s about whether your controls, processes, maturity and tools work together in a balanced, coordinated way.

Common issues we see include:

  • Overlapping or underused security tools
  • Legacy systems introducing avoidable risk
  • Gaps in governance or accountability
  • Limited supply-chain visibility
  • Under-resourced incident response
  • A lack of user awareness
  • Slow or degraded IT performance caused by over-engineered or outdated security layers

To improve your security posture, you need a structured way to identify what’s missing, what’s working, and what needs attention, not just a list of technical fixes.

That structure comes from using a recognised framework.

Why We Align with the NCSC CAF and NIST

We structure our assessments around the NCSC (National Cyber Security Centre) CAF (Cyber Assessment Framework), which provides a clear, practical way to understand cyber maturity across four areas: Manage Risk, Protect, Detect, and Minimise Impact.

CAF is closely aligned with the internationally adopted NIST Cybersecurity Framework (CSF), and the UK’s Cyber Governance Code of Practice maps directly to NIST. This means we can confidently benchmark organisations against both UK and global best practice.

Using CAF and NIST together helps to:

  • Provide a consistent, business-friendly view of cyber maturity
  • Highlight the areas that will reduce the most risk
  • Create a common language between IT, security, and senior leaders
  • Ensure investment is aligned to actual threats and priorities

Together, CAF and NIST give a complete picture of where you are today, where you need to be, and the most effective route to get there.

Where ImprovIT Helps

We help CIOs, CFOs, CISOs, and Boards get clarity through:

Cyber maturity assessment (NCSC CAF and NIST aligned)

A clear view of your strengths, gaps, and risk exposure.

✔ Peer comparison and spend benchmarking

Powered by our database of 2,400+ analyses.

✔ Cost transparency and tool rationalisation

Identify hidden costs, inefficiencies, and opportunities to simplify.

✔ Practical, prioritised roadmap

No jargon. No 200-page audit. Just clear actions.

Cyber Security Doesn’t Need to Be Overwhelming

With the right data and a balanced, CAF and NIST-aligned approach, cyber becomes:

  • Understandable
  • Measurable
  • Right sized
  • And aligned to business goals

Most organisations already have many of the right components; the challenge is knowing how they fit together. If you want visibility of your cyber posture, spend, and risks, contact us for an informal conversation.

Clarity beats uncertainty, every time.

FAQs

How do I know if my organisation is secure enough?

The only reliable way is through a structured assessment. Benchmarking your cyber maturity and controls against similar organisations shows exactly where you stand and where you may be exposed.

Are we spending too much or too little on cyber security?

It varies widely. Our benchmarking work shows cyber spend can range anywhere from 3.5% to 18.4% of the IT budget. Without comparison to peers, it’s difficult to know whether your investment is appropriate for your level of risk.

Why use the NCSC CAF or NIST Cybersecurity Framework?

CAF and NIST give a structured, easy-to-understand way to measure cyber maturity. CAF is the UK’s preferred framework, NIST is the global equivalent, and the UK’s Cyber Governance Code of Practice can be mapped to NIST. Using them together ensures your risk, spend and controls are assessed consistently and aligned to best practice.

What does a cyber assessment include?

We review your controls, governance, tools, supply-chain risk, incident readiness, and spend. You receive a clear maturity score, a view of how you compare to peers, and a prioritised improvement roadmap.

Is cyber security only about technology?

Not at all. Many weaknesses come from processes, governance, supplier risk and user behaviour. A strong cyber posture needs both technical controls and good operating practices.

Is this type of assessment suitable for mid-sized organisations?

Yes. In fact, mid-sized organisations often benefit the most, as benchmarking highlights where targeted investment and simplification can make a big difference.

How can ImprovIT help?

We provide an independent, CAF and NIST-aligned cyber assessment supported by benchmarking, cost transparency and practical recommendations; giving you clarity on where you stand and what to focus on next.

ImprovIT are an independent business and technology consultancy. We were founded by former colleagues of Gartner, IBM and HP to help senior IT leaders make the critical decisions that will maximise their technology investments. We’re completely independent and impartial specialists in the use of IT Measurement, Modelling and Benchmarking.

Ready to put insight into action?

Our consultants can help you apply these strategies to your IT challenges. Book a free, no-obligation call to explore how ImprovIT can support your goals.
Book a Free Consultation
Scroll to Top