My colleague’s talk revolved around the need for the project to provide a suitable level of assurance; the audience sat and listened in attentive silence, seemingly fully engaged. A lone voice called out, “This assurance, is it software we can go out and buy?” But I think the fact the question was asked reveals a lot about how cyber security is seen in many organizations. You buy a software or hardware solution to address a potential problem and that’s all there is to it. … That idea is akin to saying windscreen wipers on your car makes it safe to drive in all weathers, then never worrying about when to use them, when to have them go back and forth intermittently or continuously, when to replace the wiper-blades or whether you can still drive at 70mph down the motorway in torrential rain and blizzards.