Why Yearly Security Cycles No Longer Work and What to Do Instead
Break Free From the Governance Bottleneck with a Modern PDCA Approach
When Governance Becomes a Bottleneck
For ages, the Plan-Do-Check-Act (PDCA) cycle has kept things neat and orderly, but at what cost? Of course, cyber attackers aren’t politely waiting for your next yearly “check” date. While you’re busy with an annual to-do list, your threat landscape has already shifted, new vulnerabilities have emerged, and last quarter’s “acceptable risks” may now be active exploits. The inefficiency is frustrating for security teams and potentially damaging to an organisation’s security posture.
While PDCA still has an important role in the context of governance and ISO 27001, it needs a more modern, flexible approach to truly support cyber resilience. At Northwave, we often hear from our customers about this challenge, so we looked for ways to address it. When we discovered that nothing else on the market combined the governance discipline of PDCA with speed, visibility, and intelligence, we developed a solution ourselves. But before we explore how it works, it’s worth understanding why the old model can no longer keep up.
What are the limitations of annual PDCA cycles in cyber security?
Northwave has supported hundreds of different organisations with their Security Management. One common denominator: they have all relied on a yearly cycle, whether a full PDCA, budget-driven or audit cycle. The operational aspects of these cycles were all conducted on an annual basis, including:
- risk assessments
- designing and communicating improvement plans
- audits
This process typically results in hefty documentation, which is often outdated by the time it is approved. Everything that does not fit within this cycle tends to be treated as a security incident: otherwise known as the 'firefighting approach'.
To clarify: there is nothing wrong with an annual cycle for your Security Management and its processes to continuously improve and secure your organisation. However, this method often leads organisations into a more reactive, rather than pro-active, approach to emerging threats and risks. As cyber threats become more advanced, frequent and aggressive, traditional PDCA-cycles are slowing security teams down instead of empowering them.
Does PDCA Still Work For Security Leaders Today?
Strengths
- Establishes governance discipline and accountability
- Aligns with ISO 27001 and GDPR compliance
- Reinforces a structured improvement mindset
Limitations
- Annual cadence slows response to emerging threats
- Documentation and approvals lag reality
- Reactive culture between cycles encourages “firefighting” Misalignment between evolving risk and planned mitigation
In EU countries where audits and certifications are vital, PDCA remains the baseline. But under NIS2, ISO 42001, and the coming wave of AI governance obligations, it needs a modern makeover.
Modernising Security Management
To address these PDCA challenges, Northwave developed a new approach based on today’s evolving threat landscape, modern insights into security management, and the latest technology.
Our SAFE (Situate, Assess, Fortify, Evolve) method draws from the core principles of continuous improvement inherent in the PDCA cycle and blends them with agility, intelligence, and the responsiveness required to counter emerging threats with short, continuous cycles. Here is how SAFE transforms PDCA:
1. Situate
Track internal and external influences on your security with custom AI agents.
Rather than relying on a static snapshot within a document or GRC environment, we deploy purpose-built AI agents to maintain a real-time, dynamic understanding of your organisational context. These agents are continuously fed with data from meetings, reports, incidents, and emerging threats. Within minutes, they translate this context into tailored risks, threat insights, and recommended actions specific to your organisation.
This phase is always active. Before any insights are shared with the client, they are rigorously verified and evaluated by our experts to ensure accuracy and relevance. The result is a precise, up-to-date risk and security profile. It enables your security goals and KPIs to evolve at the speed of your business.
2. Assess
Refine security priorities in real time to close the most critical gaps.
Using the same AI-driven platform, we then work together with the business (the risk-owner) to assess the organisation’s current risk and security profile, validating it on the spot. Instead of endless risk treatment plans covering the next one or two years, you’ll have a clear view of the actions that make a real difference to the most pertinent threats and risks.
By building a focused improvement plan around them, the organisation can concentrate on what’s most relevant right now. You gain immediate prioritisation, sharper focus, and a far shorter exposure window.
4. Fortify
Shift from planning to action
Now we get to work on the security tasks identified during the Assess phase. By keeping actions focused, small, and iterative, priorities can be quickly adjusted to respond to threats without delay. Momentum never stalls because we are able to manage multiple currents simultaneously.
During this phase we can also coordinate additional support or resources for your security team, as needed. The result is constant progress towards your security goals.
4. Evolve
Close the loop with ongoing learning and adaptive governance.
Lastly, we enable continuous learning and agile adaptation by aligning with your governance cycle and surfacing key security insights in real-time. Included in this phase are our periodic security checks and stakeholder updates to report the progress in achieving your wider security objectives. Meanwhile, any critical issues or urgent responses to emerging threats can be flagged immediately, so executive leadership is always up to speed and can act fast.
The insights create a powerful feedback loop, allowing for dynamic tweaks to your risk posture and objectives, and sparking new SAFE currents whenever needed. This way, you’re always evolving, always improving, and security becomes integrated into the organisation’s strategic decision-making.
Shifting From Reactive To Proactive Cyber Security
The proactive, intelligence-led stance of Northwave’s SAFE method is unique in the market. It empowers organisations to anticipate cyber threats and respond swiftly and effectively through:
- actionable threat feeds, powered by a tailored AI platform
- dynamic and targeted risk prioritisation
- lean, focused operations
With SAFE, security teams that have been stuck in a checklist slog will be able to make constant, meaningful progress. If your current security framework feels like it’s fighting yesterday’s battles, it’s time to explore how this innovative approach can give your defence the agility and intelligence needed to confront the threats of today and tomorrow. Contact us today to start the conversation with our security experts.
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.