Somewhere around 2022, the professional consensus in enterprise cyber security quietly changed. The change wasn’t announced. There wasn’t a keynote. But if you put a working CISO from a UK enterprise in a quiet room and ask them what they’re actually trying to achieve, the answer they give now is not the answer they would have given five years ago.
Five years ago, the answer was: keep the attackers out.
Now the answer is: assume some of them are already in, and make sure you can spot them, evict them, and recover from anything they did before you spotted them, within a useful timeframe.
This sounds like a small adjustment. It isn’t. The whole shape of a credible security programme follows from which of those two sentences you actually believe. The first one leads to a buying pattern centred on prevention: firewalls, endpoint protection, awareness training, posture management. Money goes into raising the wall. The second one leads to a different pattern entirely: detection, response, forensic capability, recovery infrastructure, and the operational machinery to make all of those things work fast. Money goes into shortening the time between something bad happening and something useful being done about it.
Most enterprise security budgets are still shaped by the first sentence. Most working CISOs are operating by the second. This gap is responsible for a fair amount of late-night phone calls.
The shift wasn’t caused by any single event, though Solarwinds, the wave of supply-chain attacks that followed, and the steady drumbeat of ransomware incidents through 2023 and 2024 all contributed. It was caused by a slow accumulation of evidence that the prevention-first model wasn’t holding. The attack surface had expanded too much. SaaS adoption, hybrid work, the multiplication of identities, the explosion of agent-based and service-account access — there were now too many doors for “keep them locked” to be the headline strategy. The honest, grown-up acknowledgement was that some of those doors were going to be open at any given moment, and the discriminator between organisations that handle that well and organisations that end up on the front page is mean-time-to-detect and mean-time-to-respond, not the height of the wall.
This is the operational logic behind the rise of services like Microsoft’s Managed Extended Detection and Response designation, and behind the small number of providers Microsoft has actually verified to deliver against it. Microsoft Sentinel and Defender XDR together can produce a level of cross-estate visibility that was unavailable a few years ago, but they only deliver value if there’s a team monitoring them around the clock, tuning them constantly, and acting on the signals fast enough to matter. Building that team in-house is expensive and increasingly impractical for any organisation outside the largest enterprises.
What the better Microsoft cyber security consultancies are now selling is, in essence, the operational missing piece. The product side of the security stack is in good shape; Microsoft has done years of unglamorous integration work to make Sentinel, Defender, Entra and Purview work together. What’s harder to buy off the shelf is the twenty-four-hour human capability to make use of it: the analysts who know what a real incident looks like versus a tuning artefact, the playbooks that turn detection into response without three meetings, and the institutional muscle memory that comes from handling enough actual incidents to recognise the early shapes of the next one.
The interesting consequence of all this, for security buyers, is that the questions worth asking a prospective provider have changed. The old questions were about coverage and certifications: which products do you support, what frameworks are you aligned to. The new questions are operational. How fast do you detect on a real incident, not a tabletop exercise? What was the median time from first signal to containment across your active customer base last quarter? When did you last fail to contain something fast enough, and what did you change as a result? These are harder questions, and providers who answer them well tend to be a different kind of provider from those who answer the old ones well.
See also: Business Startup: A Practical Guide to Building a Successful New Business
The boards approving security budgets are still, in many cases, operating on the old model. They want to hear that the organisation is protected. The competent CISO has to translate “we have shortened our mean-time-to-respond from forty-three minutes to nine” into something a non-technical audience can recognise as money well spent. This translation is one of the genuinely difficult parts of the job, and most CISOs are doing it without quite enough help.
The technology has moved on. The threat model has moved on. The buying conversation, in most organisations, is the thing that hasn’t.
