A posture can look fine and still be wrong
Most businesses that experience a security incident had something in place. They were misaligned. Their defences reflected an earlier version of the business, or a threat landscape that had since moved on.
An account that was secured when it belonged to an active employee becomes a liability the day that person leaves, if nobody deactivates it. A cloud configuration that was reasonable when a project launched becomes an exposure if it is never revisited. A backup that was set up correctly becomes an assumption the moment it stops being tested. A multi-factor authentication rollout that covered most of the team still leaves the accounts it missed fully exposed.
These are failures of upkeep. The posture was set and then held rigidly, while everything around it kept moving. The business grew. People joined and left. New tools were added. The threat environment changed. The security position did not keep pace with any of it.
This is how environments fall out of step. Through the entirely normal process of a business operating and evolving without anyone specifically responsible for keeping the security picture current.
What the posture actually needs to cover
Good posture is about the relationship between controls, how they work together, where they overlap, and where the gaps are.
Access is one of the most important places to look. Who can reach what, and does that still make sense? Permissions have a way of accumulating over time. Someone gets access to a shared drive for a project. A contractor is given credentials to connect to a system. A former employee’s account stays active because offboarding was handled in a hurry. Individually, none of these feel significant. Collectively, they represent a set of open doors that nobody has thought to close.
Endpoints are another consideration. Every device that connects to your network is a potential entry point, including laptops, phones, tablets, and equipment that staff use outside the office and then bring back in. Knowing what is on your network, what software those devices are running, and whether they meet a defined standard is the baseline that everything else builds on.
People are a significant part of the picture, and no technical control fully accounts for them. The majority of security incidents involve a person somewhere in the chain. Staff who understand what a suspicious request looks like, and who feel confident flagging it rather than complying with it, are a meaningful part of the defence. That is a habit that needs to be reinforced regularly, rather than a training exercise run once and considered complete.
Underneath all of this, there needs to be a recovery position. Backups that have been tested, not just configured. A clear understanding of what happens if something does go wrong, what gets restored, in what order, and how long it takes. The businesses that recover well from incidents are almost always the ones that had thought through that scenario before they needed to use it.
Posture requires maintenance
You build habits. You check in. You correct small things before they become larger problems.
In practice, that means access reviews happen when people change roles or leave, rather than annually if someone remembers. It means the device inventory is maintained, rather than reconstructed from scratch when something goes wrong. It means updates and patches are applied on a consistent schedule rather than deferred until a problem forces the issue. It means someone is looking at the environment regularly enough to notice when something has moved out of alignment.
The requirement is process, consistency, and someone who owns the responsibility of maintaining the picture. That last part is often the missing piece. Ownership.
What poor posture actually costs
The visible cost is an incident, a breach, a ransomware event, a fraud. Those get attention because they are impossible to ignore and expensive to recover from.
The less visible cost is the cumulative drag of an environment that nobody is actively maintaining. Licences renewing for tools nobody uses. Cloud storage costs inflated by data that has no business reason to exist. IT time absorbed by problems that trace back to configurations nobody has reviewed in years. Compliance exposure that sits quietly until an auditor asks the right question.
There is also a reputational dimension that is harder to quantify but real. Clients and partners increasingly want to know that the businesses they work with handle data responsibly. An environment that has not been reviewed is not one you can speak confidently about.
Understood and actively managed is a different risk position than unpredictable and potentially serious. Good posture is what gets you there.
The posture question
If someone asked you today to describe your security position, not your tools but your actual exposure, how confident would you be in the answer?
If the answer is uncertain, that is worth paying attention to. Without visibility you have no way of knowing whether something has gone wrong. In security, the things you cannot see are exactly the things that tend to matter.
An IT audit gives you that visibility. A clear picture of where you stand, what is working, where the gaps are, and what needs to change. That is where sensible decisions about security start.
