<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[Cork's Substack]]></title><description><![CDATA[Cyber confidence and business continuity for MSPs and the businesses they protect.]]></description><link>https://blog.corkinc.com</link><image><url>https://substackcdn.com/image/fetch/$s_!R8Xj!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F374bb124-1483-4acf-8930-865ec1002ca6_215x215.png</url><title>Cork&apos;s Substack</title><link>https://blog.corkinc.com</link></image><generator>Substack</generator><lastBuildDate>Thu, 16 Jul 2026 18:43:11 GMT</lastBuildDate><atom:link href="https://blog.corkinc.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Cork Cyber]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[corkcyber@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[corkcyber@substack.com]]></itunes:email><itunes:name><![CDATA[Cork Cyber]]></itunes:name></itunes:owner><itunes:author><![CDATA[Cork Cyber]]></itunes:author><googleplay:owner><![CDATA[corkcyber@substack.com]]></googleplay:owner><googleplay:email><![CDATA[corkcyber@substack.com]]></googleplay:email><googleplay:author><![CDATA[Cork Cyber]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[Cybersecurity Is a Journey. Most Companies Can't Tell You Where They Are on the Map]]></title><description><![CDATA[A simple framework for measuring your security posture, and actually knowing whether it's improving]]></description><link>https://blog.corkinc.com/p/cybersecurity-is-a-journey-most-companies</link><guid isPermaLink="false">https://blog.corkinc.com/p/cybersecurity-is-a-journey-most-companies</guid><dc:creator><![CDATA[Cork Cyber]]></dc:creator><pubDate>Thu, 16 Jul 2026 13:16:12 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!R8Xj!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F374bb124-1483-4acf-8930-865ec1002ca6_215x215.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Ask most business leaders a straightforward question. Are you safer today than you were six months ago? Almost none of them can answer it.</p><p>They can tell you what they bought. The firewall. The antivirus. The email filter. What they can&#8217;t tell you is whether any of it is working, whether the gaps from last year are closed, or whether the number that matters most, their actual risk, is moving in the right direction.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://blog.corkinc.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Cork's Substack! Subscribe for free to receive new posts from us!</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>That is the problem with how most organizations think about security. They treat it as a project. Something you do once, check off, and forget. But security was never a destination you arrive at. It is a posture you hold, and posture drifts the moment you stop paying attention.</p><h4>The mindset shift</h4><p>Three ideas sit underneath everything else.</p><p>Security is an ongoing process, not a set-and-forget purchase. Your attack surface grows every time you add a device, hire an employee, or turn on a new cloud app. What was enough last year can be dangerously thin today.</p><p>Security has to be woven into how you operate, not bolted on afterward. Every hire, every purchase, every onboarding step either strengthens your posture or quietly weakens it.</p><p>And most important: you cannot improve what you cannot measure. Without a way to score where you stand, &#8220;getting more secure&#8221; is a feeling, not a fact.</p><p>So how do you measure something as sprawling as security posture? You break it into dimensions you can actually see.</p><h4>The four dimensions of security posture</h4><p>A complete picture of your security health comes from four questions. Each one is a lens. Together they are a system.</p><p><strong>1. Are your controls actually working?</strong> Not licensed. Not purchased. Working. This is where the first gap almost always shows up. A firewall nobody monitors is not protection. EDR that never got deployed to that one forgotten laptop is not coverage. The details matter here, and they compound: multi-factor authentication alone blocks over 99 percent of automated credential attacks, and more than 90 percent of attacks still start in the inbox.</p><p><strong>2. Are policies being followed?</strong> The human layer is where most breaches actually happen. Verizon&#8217;s Data Breach Investigations Report puts it at 82 percent of breaches involving a human or policy element. Training completions, access reviews, policy acknowledgments. This is unglamorous work, and it is also the difference between a defensible organization and an exposed one.</p><p><strong>3. Are known weaknesses getting fixed?</strong> Attackers do not need a zero-day when you have left the front door open for a month. Roughly 60 percent of breaches exploit vulnerabilities that are already more than 30 days old. Measuring posture here means knowing your patch windows and holding to them. Critical issues in a day or two. High within a week. Nothing important left to drift.</p><p><strong>4. What does your history tell you?</strong> Past incidents and claims are not just scars. They are a signal. A pattern of incidents points directly at gaps in the first three dimensions, and it shapes something with real dollars attached: your insurability, your premiums, and the terms carriers are willing to offer you at all.</p><h4>Why all four, together</h4><p>Here is the part people miss. No single dimension tells the truth on its own.</p><p>A company can have a beautiful security stack and terrible patching habits. Another can pass every compliance check and still have no MFA on a critical account. Strength in one area does not cover weakness in another. You need all four in view at once.</p><p>And when you measure them consistently over time, you get the thing that actually matters. Not a snapshot. A trajectory. You stop asking &#8220;are we secure,&#8221; a question with no honest answer, and start asking &#8220;are we getting safer,&#8221; a question you can prove.</p><h4>From four questions to one number</h4><p>This is the thinking behind the Cork Cyber Score. We take these dimensions and turn them into a single, trackable baseline, the way a credit score turns your financial health into one number you can actually work with and improve over time.</p><p>The idea is simple: pick your dimensions, measure them honestly, and watch the direction of travel. The organizations that treat security as something measurable, rather than something they hope is handled, are the ones that sleep better at night.</p><p>Security is a journey. The least you can do is know where you stand on the map.</p><div><hr></div><p><em>This is the first in a series where we break down how modern organizations measure, track, and improve their cyber posture. Follow along, and <a href="https://www.corkinc.com">visit Cork&#8217;s website</a> to learn more!</em></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://blog.corkinc.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Cork's Substack! Subscribe for free to receive new posts from us!</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item></channel></rss>