In light of this legislative and regulatory environment, organisations may falsely view cyber security as a simple compliance item and adopt unrealistic expectations of technical controls at the cost of neglecting the human element of cyber security. All too often organisations haphazardly seek to solve their security issues by prematurely purchasing expensive security products that they are not ready to implement at their level of cyber maturity. This often coincides with organisations not having a strong Cyber Security Strategy that includes an architectural engagement. It also typically coincides with cyber security policy suites, intended to govern user behaviour, becoming gradually outdated and only being updated in a piecemeal fashion. The issues associated with overlooking the human element are exacerbated in Energy and Utility organisations, as operational technology (OT) staff work in unique environments and therefore require additional specialised cyber security awareness and training.