In the penultimate blog of our six-part series around the cyber security issues facing the construction industry, our Head of Customer Success, Chris Yates, shines a light on the Confirm stage of our CyberAscend framework.
CY: We’re four stages into the CyberAscend journey now. Initiate set the direction. Discover gave the honest picture. Remediate did the work.
This is the moment where most cyber providers quietly disappear. The report has been delivered. The invoice has been raised. They’re on to the next client.
In CyberAscend, this is where Confirm begins. And in my experience, it’s the stage that separates cyber programmes that genuinely make a business safer from the ones that just produced a nice document.
What Confirm Actually Means
Confirm isn’t a re-test. It isn’t a checkbox at the end of a project plan. It’s the stage where we stay engaged with you as remediation progresses, to understand how it’s going, to verify that what’s being delivered is meeting expectations, and to watch the wider impact across the organisation.
That last part matters more than people think. In a construction business, a security change is almost never isolated. Tighten identity controls and someone’s mobile workflow breaks on a remote site. Harden a cloud configuration and a supplier integration starts failing. Roll out a new authentication policy and the site teams find a workaround that creates a worse risk than the one you removed.
These are the moments where well-intentioned remediation either bites in for the long term or quietly unravels.
Why “Implement and Walk Away” Costs You
Three things go wrong when a cyber provider hands over and vanishes:
- Controls degrade. Configurations that were correct on the day of handover get relaxed by people who weren’t in the original conversation, for reasons that seem locally sensible. A few weeks later, the posture isn’t what the report said.
- Side effects don’t get caught. The unintended impact on operations, suppliers or programme teams isn’t surfaced until it bites, usually at the worst possible moment.
- Ownership evaporates. Without someone staying close to the work, accountability quietly disperses. When something does go wrong, the conversation becomes about whose fault it was, not how to fix it.
In construction, all three of those translate into the same thing: delivery risk you thought you’d retired, reappearing under a different name.
What Confirm Looks Like in Practice
When we run Confirm with a construction business, we stay engaged across three threads.
- Progress verification. We check that remediation work agreed in the previous stage is genuinely landing, not just marked closed in a ticket. Where actions are slipping, we flag them early and help unblock them, rather than waiting for the next steering meeting.
- Expectation alignment. We verify that what’s being delivered matches the outcomes leadership agreed in Initiate. If reality has drifted, we have the conversation while it’s still cheap to correct.
- Wider impact awareness. We actively look for the second-order effects of remediation across operations, supply chain, and your people, and adjust before those effects become noise, friction or, worse, a workaround that introduces new risk.
The shift that matters in Confirm:
Cyber providers prove their value not on the day they hand over, but in the weeks that follow. The right question to ask isn’t “have you implemented it?”, it’s “are you still alongside us while it beds in?”
Why This Matters, Especially in Construction
In most industries, a cyber change can be tested in a relatively contained environment. In construction, the environment is the business. Sites, plant, suppliers, design partners, mobile workforces, client systems. Change doesn’t bed in cleanly. It bumps.
Confirm is where you ride those bumps with someone who knows the original objectives, knows the work that’s been done, and can adjust intelligently rather than panic. Without that, every operational hiccup risks becoming a reason to roll back the security improvement that caused it.
That’s how good remediation programmes quietly die.
A Question for Construction Leaders
Six months after your last cyber project closed, was anyone internal or external still actively checking that what you implemented was holding up? Or did the report get filed and the conversation move on?
What’s Next in This Series?
Even Confirm has an endpoint. The remediation eventually beds in, the side-effects settle, the programme stabilises. And then a new threat emerges, the business changes, a regulation shifts, a new supplier joins and the whole picture starts to move again.
Â
That’s why CyberAscend has a fifth stage, Continue, and why we treat cyber security as a posture rather than a project. In the final post of this series I’ll bring the whole journey together, talk about how Continue keeps construction businesses resilient over the long term, and what the role of our CREST-accredited SOC really is. Keep an eye out for it later in the series.
Want a head start?
If you’d like to see what your current cyber posture looks like through a construction-delivery lens, get in touch. We’ll run a no-obligation CyberAscend Initiate conversation with you and your leadership team, and you’ll come out of it with a clearer view of your risk, your readiness, and your next three moves.