ITbuilder Ltd.

15/06/2026

"One of the biggest misconceptions I see in cyber security is the belief that capability automatically equals maturity.
It doesn't.

Many organisations invest heavily in security tools, monitoring platforms, and protection technologies. They build an impressive security stack and assume that because the capability exists, the risk has been addressed.

But that's not always the case.

I often compare it to owning a Ferrari.

You might have one of the best-performing cars on the road, but if you've only just passed your driving test, you're unlikely to get the most out of it.

Cyber security works in much the same way.
The value isn't simply in owning the tools. It's in how effectively they're configured, managed, monitored, and governed over time.

That's where maturity comes in.

Good governance helps organisations understand whether their security investments are actually reducing risk, whether controls are performing as expected, and where improvements are needed.
Without that visibility, it's easy to mistake capability for effectiveness."

In this short video, our Managing Director, Henry Lawrence, explains why capability and maturity are not the same thing — and why understanding the difference is essential for making better cyber risk decisions.

We've explored this topic and others throughout our vCISO Explainer Series, covering governance, risk, compliance, and cyber leadership for growing organisations.
https://hubs.la/Q04l1hCv0

12/06/2026

Here's a sentence from a real security report presented to a board:

"Seventeen medium-severity CVEs identified in the external scan; patching cadence for non-critical systems is running at 14 days behind SLA."

Every word is accurate.

None of it tells the board anything they can act on.

The translation required isn't just linguistic. It requires someone to answer the questions underneath the data:

What does this mean for the business?
What could go wrong, and how badly?
What decision does the board need to make?

Without that translation, boards default to one of two responses:

Passive acceptance: "The IT team says we're fine."
Reflexive investment: "Buy more tools."

Neither is governance.

Closing the gap between security controls and board-level risk ownership requires a specific capability — not technical expertise alone, but the ability to see risk from both sides of the conversation.

That's the subject of Article 7, the final article in the governance phase of this series.

https://hubs.la/Q04l9H540

─────────────────────

Next week we move into the decision phase: what a vCISO actually does, and how the commercial case stacks up.

The series closes live on 30 June.

📅 How Leaders Should Govern Cyber Risk — free webinar

🔗 Register: https://hubs.la/Q04lbt2b0

Learn how a vCISO translates complex cyber risks into actionable insights for executives, bridging the gap between technical security and business governance.

10/06/2026

Do you have the right data foundations for Copilot?

Clean, connected data is the first step to getting useful answers, reliable automations, and better decisions from AI.

In our new e-book you'll find practical steps to become AI-ready, including how to:
🔹 Gather and connect your data sources
🔹 Improve data quality for more accurate results
🔹 Prepare your estate for automation and AI assistants

Download the guide and get a straightforward plan for preparing your data estate.

https://microsoft.channext.com/itbuilder/fabric-25?lang=en_US&utm_source=fb&utm_term=39484

10/06/2026

There’s a big question that often gets overlooked when we talk about cyber risk - and that’s ownership.
And this is where it gets tricky.

In reality, the business owner is the one who ultimately owns the risk for their cyber controls.
But what I’ve seen in practice is that when organisations outsource their security - or put someone else in charge of running their tools - that responsibility can start to feel distant. Almost like it sits somewhere else entirely.

The challenge is that cyber risk doesn’t operate in the background.
Every day, every second, there are active threats targeting systems and businesses. And when something does happen, if leadership is disconnected from that reality, response and recovery almost always become slower and more difficult than they need to be.

Where things really change is when cyber leadership and business leadership are properly aligned.

That’s when the business leader is brought into security conversations in a meaningful way. They’re given clear, structured reporting that translates cyber risk into their world - not technical noise. And they can start asking the right questions based on real understanding, not assumption.

It also means confidence - confidence that compliance requirements are being managed continuously, not rushed at the end before an audit or certification.

In this short video, our Managing Director, Henry Lawrence, talks about why ownership is such a critical gap in how organisations approach cyber risk today.

We’ve actually broken this down further into a 9-part Governance, Risk & Compliance series, where we explore each of these challenges in more detail.

You can find it here:
👉 https://hubs.la/Q04kKwm10

09/06/2026

New data protection complaints regulations come into force on 19 June 2026. Most SME boards aren't prepared for what that actually means.

The Data (Use and Access) Act 2025 isn't just a process update. It marks a shift in how the ICO will assess compliance — moving away from 'does a procedure exist?' towards 'can leadership demonstrate it works?'

That distinction matters enormously for UK SMEs.

→ Board-level ownership of complaint handling is now expected, not optional
→ Persistent or mishandled complaints escalate faster to regulatory enforcement
→ Historic certification — GDPR policies, Cyber Essentials, ISO 27001 — won't substitute for evidenced governance

In my experience, the gap isn't usually a missing policy. It's missing ownership. Complaints fall between compliance, IT, and customer service teams — and nobody at board level has clear sight of the risk until it becomes a problem.

This week's article sets out what the new regulations require, where the real governance risks sit for SME leadership, and the practical steps boards should be taking before the deadline.

👉 https://hubs.la/Q04kD5Xd0

And if you want to explore this further — we're running a live webinar on 30th June: *How Leaders Should Govern Cyber Risk*. Link to register in comments.

The Data Protection Complaints Regulations will reshape how SMEs in the UK manage and govern data protection complaints. This executive briefing for business leaders distils the new regulatory requirements, the governance implications, and practical steps for aligning your board-level risk ownership...

05/06/2026

Risk doesn't wait for an owner to be appointed before it starts accumulating.

An organisation can go months — or years — with cyber risk in an informal space between IT operations and senior leadership. Most of the time, nothing immediately terrible happens.

Until it does.

In November 2023, a mid-sized UK accountancy firm experienced a ransomware incident. The attacker had been inside the network for 23 days before detection. The initial access was a compromised credential belonging to a junior member of the accounts team — an account with more permissions than it needed, because nobody had reviewed access rights in over two years.

The firm had Cyber Essentials.
It had an MSP providing 24/7 monitoring.
It had recently passed a GDPR compliance review.

The tools didn't fail. The governance did.

Three weeks of operational disruption. Notification obligations to around 400 clients. Two significant client mandates lost.

The harder truth: when an incident occurs in an organisation without cyber risk governance, accountability doesn't sit with IT. It doesn't sit with the MSP.

It traces to the board.

Article 6 covers the regulatory, commercial and legal consequences of the governance gap — and why they arrive at board level regardless of whether anyone up there identified it.

https://hubs.la/Q04kfP_70
─────────────────────

📅 Webinar: How Leaders Should Govern Cyber Risk
30th June · Live · Free to register

🔗 Read + register: https://hubs.la/Q04kfSJr0

Understanding cyber risk governance is crucial. Without ownership, risks escalate and lead to significant board-level consequences. Learn how to close governance gaps.

04/06/2026

02/06/2026

77% of UK organisations experienced a cyber incident in the past year. Nearly all review incidents after the fact. Only a third have high management engagement in those reviews.

That gap — between tools deployed and leadership actually owning the risk — is where most SMEs remain exposed.
Henry Lawrence, our MD, has written on exactly this: why cyber resilience for UK SMEs is increasingly a governance problem, not a technology one.

→ IT teams can't carry board-level risk decisions alone
→ Incident response plans that aren't rehearsed by leadership don't hold under pressure
→ Compliance certification is a baseline — not an end state
→ Insurance coverage can hinge on whether risk ownership is demonstrable

https://hubs.la/Q04jMXgP0

Henry is also hosting a live webinar on 30 June — governing cyber risk at leadership level. Link in the comments 👇

UK SMEs are making progress in cyber resilience, but a lack of active involvement from leadership and gaps in governance leave critical operational risks unmanaged. Explore practical steps for directors to strengthen oversight and accountability—beyond compliance.

29/05/2026

Your MSP is doing its job. Your SOC is monitoring. Your certification is current.

And yet something feels uncertain.

If that resonates, it's probably because you're sensing a gap that almost nobody is explicit about.

Managed security services are excellent at operational security — keeping systems running, monitored and patched. Compliance frameworks tell you what good looks like. Both are genuinely valuable.

What neither of them does is own your risk on behalf of your board.

There is no tool, certification or service that answers the questions your board actually needs answered:

What is our cyber risk exposure as a business?
Is it at a level the board accepts?
Who is responsible for ensuring it stays that way?

This is the governance gap. It sits above the operational security layer. It's structural. And most organisations don't know it exists.

Article 5 maps it clearly — and introduces our governance readiness checklist, which surfaces the questions your board should be able to answer right now.

─────────────────────

We're also opening registration for our series closing webinar:

📅 How Leaders Should Govern Cyber Risk — And Why Most Don't
30 June · Live · 45 min + Q&A

Register at https://hubs.la/Q04jk-c10

🔗 Article + checklist + register: https://hubs.la/Q04jk-c10

28/05/2026

Many UK SMEs will soon face much stricter expectations around cyber security, not just from regulators but within their own business supply chains.

The new Cyber Security and Resilience Bill is more than another compliance hurdle—it fundamentally shifts cyber risk ownership to business leaders and their boards.

This raises the stakes for those reporting on resilience, and for directors personally.

We share a practical analysis of what’s changing, why it matters for midsized businesses, and where leadership focus is most needed.
Forward-thinking governance is quickly becoming a business imperative.

Read the full article here:

https://hubs.la/Q04j7NHM0

The UK Government’s Cyber Security and Resilience Bill imposes new compliance and cyber risk management duties on managed service providers. Henry Lawrence reviews the challenges for SME leadership teams and offers practical steps to strengthen business resilience.