Professional Security Magazine: What businesses need to know before buying

Nick Walker, Regional Director for EMEA at NetSPI, in Professional Security Magazine, examined why many organisations invest in advanced cyber services before they are ready to benefit from them, with Nick arguing for a stronger focus on fundamentals. Read the preview below or view it online.

+++

Getting the basics right before buying advanced security

Regarding “What businesses need to know before buying” (Professional Security Magazine, 2025): As cyber incidents continue to dominate headlines, organisations are rushing to invest in advanced security services such as red teaming and adversarial simulation. Nick Walker, Regional Director for EMEA at NetSPI, warned that many businesses are buying sophisticated tools before they have the foundations needed to make those exercises meaningful.

Walker explained that the issue is not with high-end testing itself, but with timing. Without basic visibility of assets, reliable patching, access controls, and day-to-day security discipline, advanced tests often surface problems that organisations are not equipped to fix. The result is wasted spend and growing fatigue, rather than improved resilience.

The article highlights a widening gap between ambition and readiness across the UK. The Cyber Security Breaches Survey 2025 found that almost half of businesses suffered an attack last year, yet only 27% have board-level responsibility for cybersecurity, and fewer than one in five have trained staff in the past year. Outside highly regulated sectors, many organisations are encouraged to adopt bank-level security practices without the people, processes, or governance to support them.

Walker also warned that cybersecurity is becoming increasingly performative. Red teaming and adversarial testing can be valuable, but without fundamentals such as endpoint detection, incident response planning, and patch management, they risk becoming theatre rather than protection. Selling complex services to organisations lacking the basics, he argued, benefits neither side.

The article calls for a redefinition of what “basic” means in cybersecurity. Asset visibility, backups, user awareness, and disciplined patching are not entry-level steps, but core strengths that make all other investments worthwhile. Providers, Walker said, should guide customers through steady capability-building journeys rather than pushing them towards complexity too soon.

You can read the full article here.