Introducing The Defensive Dozen

Cybersecurity has a noise problem. Every jurisdiction has a framework, every framework has a laundry list of controls, and every control has a consultant who'd quite like to sell you a project. For anyone trying to work out what matters, it's exhausting — and the honest answer is that a lot of it can wait.

I've just published The Defensive Dozen: twelve controls, in plain English, in the order I think matters. It's the page I wish I had when I was first building businesses. It's not exhaustive, it's curated. Focus on these and you will be in a great place.

Where this came from

The Defensive Dozen is an evolution of a ten-control framework I put together at Tenzing when I was setting up cybersecurity governance for their £1.5Bn portfolio. The brief will be familiar to anyone in PE:

How can we be sure we are continuously mitigating cyber risk in way the Chair, CEO, Board & Investors can understand?
What does "good" look like?

Why these twelve

There are good frameworks already. Cyber Essentials is the UK baseline and a great first stop. ISO 27001 and SOC 2 are international standards that many buyers want to see. NIST CSF 2.0 shows up all over the place as a way of thematically assessing posture by domain. There are many more...

These are all great, but businesspeople want to be able to take focussed actions that move their business in the right direction.

First, the frameworks are too complex to memorise. People can execute most effectively when they have a simple model of reality in their heads that they can check decisions against. This is why people try to derive principles for so many things; think of the Defensive Dozen as principles for cybersecurity.
Second, the order matters. Most frameworks are organised alphabetically or by domain, which obscures the fact that some controls are dramatically more important than others. Identity and access management is the single highest-leverage thing you can fix. Patching is unglamorous and enormous in its impact. 24/7 monitoring is expensive and often the right call to defer. I wanted something that made those priorities clear.

What good looks like

Each control on the page comes with a short "what good looks like" — three concrete bullets that let you compare your own setup against a reasonable target. Not a maturity model with five tiers and a heat map. Just: here's what well-defended looks like, how does yours compare?

Some of those targets will feel out of reach for smaller businesses. That's fine. The point is to know where the gaps are and have a view on which gaps matter most for your stage, your sector, and your risk profile. A pre-seed startup and a £20m revenue business should have very different answers — but they should both be able to look at the list and have an opinion.

How to use it

I use it in two ways:

A self-assessment. Walk through the twelve, score yourself honestly against "what good looks like", and you'll have a credible gap analysis in no time. That's enough to brief a board, scope a budget, or shape a conversation with whoever runs your IT.
A mental model to sanity check spend. So much of running a business is making investment decisions; use the dozen to give structure and prioritisation to your cybersecurity spending to make sure you are focussing on the highest impact areas.

Bottom line

The Defensive Dozen isn't exhaustive and isn't meant to replace a proper framework when you need one. It's meant to be the thing you can hold in your head — twelve areas, in priority order, with a clear picture of what good looks like for each. Get those right and you're ahead of most businesses your size.