Many organisations fail to generate real cyber security improvement because they repeat the same types of activities each year. For most organisations, the level of security never truly improves over time. At best it stays the same, and at worst it declines as attackers effectively invest more than defenders.