Why your VMware estate just got harder to justify (and how to think clearly about what comes next)
14 January 2026
Enterprise AI agents are the real story: buying AI is becoming a platform decision
12 February 2026
In technology teams, it’s easy to say security matters.
The harder part is being confident that the basics are actually being done properly, day in, day out – across real systems, real users, and real constraints.
We’ve recently completed Cyber Essentials Plus. Not because a customer required it, and not to tick a compliance box, but because it’s a sensible baseline for any organisation that wants to take security seriously.
Why CE+ felt worth doing
Most people reading this will be familiar with the difference, but the reason CE+ matters is simple: it’s tested.
It moves beyond policies, screenshots, and questionnaires, and checks whether controls are actually working on real devices and real systems. Patch levels, configurations, access controls – the unglamorous work that makes the difference in practice.
That was the point.
We work with organisations making high-risk technology decisions. That means being trusted with sensitive information and expected to apply sound judgement under pressure. If we expect that level of care from others, it’s only reasonable to hold ourselves to the same standard.
Doing it by choice, not obligation
In practice, Cyber Essentials Plus is often linked to contractual or procurement requirements.
For us, it made sense to treat it as a baseline rather than a hurdle – something worth validating regardless of mandate.
Not because CE+ magically makes an organisation “secure”, but because it provides independent confirmation that the fundamentals are being handled properly. It forces honesty around things like patch consistency, device scope, and how controls are enforced in reality.
Anyone who’s been through it will know it’s rarely perfect first time – and that’s kind of the point.
A baseline, not a badge
Cyber Essentials Plus isn’t a silver bullet. It doesn’t eliminate risk, and it doesn’t replace broader security thinking or good operational discipline.
What it does do is confirm that:
- systems are configured sensibly
- access is controlled and appropriate
- updates are applied consistently
- basic protections aren’t optional
That’s not advanced security. It’s table stakes. But table stakes done properly are still worth validating.
Why we’re sharing this
We don’t tend to broadcast certifications for their own sake. But if you’re an IT leader assessing partners or advisers, it’s reasonable to want confidence that they take their own security seriously – not just in principle, but in practice.
For us, Cyber Essentials Plus is simply one way of demonstrating that mindset.
No claims of perfection. No drama. Just taking responsibility for the basics and being willing to have them tested.
Thinking this through
If VMware changes are forcing decisions you weren’t planning to make yet, it’s often useful to talk them through before locking into a direction.
Darwin helps organisations step back, look at the real options, and make decisions they’re comfortable standing behind.
If that would be useful, you can get in touch via our contact page.