The Β£18,000 Saving That Cost Β£200,000 in Revenue
Ever cut a cost that seemed obviously wasteful, only to discover you'd destroyed something far more valuable? Welcome to the Doorman Fallacy βit's probably happening in your business right now.
In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count.
Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions.
What You'll Learn
The Core Concept
What the Doorman Fallacy is and why it matters for cybersecurity
The difference between nominal functions (what something obviously does) and actual functions (what it really does)
Why efficiency optimisation without a complete understanding is just expensive destruction
The five-question framework for avoiding Doorman Fallacy mistakes
Five Catastrophic Case Studies
1. The Security Training Fallacy (Chapter 2)
How cutting Β£12,000 in training led to a Β£70,000 Business Email Compromise attack
Why training isn't about delivering informationβit's about building culture
The invisible value: shared language, verification frameworks, psychological safety
What to measure instead of cost-per-employee-hour
2. The Cyber Insurance Fallacy (Chapter 3)
The software company that saved Β£18,000 and lost Β£200,000 in client contracts
Why insurance isn't just financial protectionβit's a market signal
Hidden benefits: third-party validation, incident response capability, customer confidence
How cancelling coverage destroyed vendor relationships and sales opportunities
3. The Dave Automation Fallacy (Chapter 4)
Insurance broker spent Β£100,000+ replacing a Β£50,000 IT person
The Β£15,000 server upgrade that Dave would have known was unnecessary
Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics
Why ticketing systems can't replace anthropological understanding
4. The MFA Friction Fallacy (Chapter 5)
Fifteen seconds of "friction" versus three weeks of crisis response
The retail client who removed MFA and suffered Β£65,000 in direct incident costs
Why attackers specifically target businesses without MFA
The reputational damage you can't quantify until it's too late
5. The Vendor Relationship Fallacy (Chapter 6)
Solicitors saved Β£4,800 annually, lost a Β£150,000 client
Why "identical services" aren't actually identical
The difference between contractual obligations and genuine partnerships
What happens when you need flexibility and you've burned your bridges
Key Statistics & Case Studies
42% of business applications are unauthorised Shadow IT (relevant context)
Β£47,000 BEC loss vs Β£12,000 annual training savings
Β£200,000 lost revenue vs Β£18,000 insurance savings
Β£100,000+ replacement costs vs Β£50,000 salary
Β£65,000 incident costs vs marginal productivity gains
Β£150,000 lost client vs Β£4,800 vendor savings
Common pattern: Small measurable savings, catastrophic unmeasurable consequences.
The Five-Question Framework
Before cutting any security costs, ask yourself:
What's the nominal function versus the actual function?
What does it obviously do vs what does it really do?
What invisible benefits will disappear?
Be specific: not "provides value" but "provides priority incident response during emergencies"
How would we replace those invisible benefits?
If you can't answer this, you're making a Doorman Fallacy mistake
What's the actual cost-benefit analysis, including invisible factors?
Not just "save Β£8,000" but "save Β£8,000, lose security culture, increase incident risk"
What's the cost of being wrong?
In cybersecurity, the cost of being wrong almost always exceeds the cost of maintaining protection
Practical Takeaways
What to Do Tomorrow
Review your most recent efficiency or cost-cutting decision. Ask:
Did we define this function too narrowly?
What invisible value might we have destroyed?
Are we experiencing consequences we haven't connected to that decision?
Better Metrics for Security Investments
Instead of measuring cost-per-hour or savings-per-quarter, measure:
Incident reporting rates (should go UP with good training)
Verification procedure usage frequency
Time-to-report for security concerns
Vendor response times during emergencies
Employee confidence in raising concerns
Making Trade-Offs Honestly
Budget constraints are legitimate. The solution isn't "never cut anything." It's:
Acknowledge what you're sacrificing when you cut
Admit the risks you're accepting
Have plans for replacing invisible functions
Make consequences visible during decision-making
Ensure decision-makers bear some responsibility for outcomes
Quotable Moments
"The doorman's job is opening doors. So we replaced him with an automatic door. Saved Β£35,000 a year. Lost Β£200,000 in revenue because the hotel stopped feeling luxurious. That's the Doorman Fallacy." β Noel
"Security training's nominal function is delivering information. Its actual function is building culture. Cut the training, lose the culture, then wonder why nobody reports suspicious emails anymore." β Noel
"We saved Β£8,000 on training. Spent Β£70,000 on the Business Email Compromise attack that training would have prevented. The CFO was very proud of the efficiency gains." β Noel
"You can't prove a negative. Can't show the value of the disasters you prevented because they didn't happen. So the training gets cut, the insurance gets cancelled, and everyone acts surprised when the predictable occurs." β Mauven
"The efficiency consultant's dream outcome: Measurable cost eliminated, unmeasurable value destroyed, everyone confused about why things feel worse despite the improvement." β Noel
Chapter Timestamps
00:00 - Pre-Roll: The Most Expensive Cost-Saving Decision
02:15 - Intro: Why Marketing Books Matter for Cybersecurity
05:30 - Chapter 1: The Book, The Fallacy, The Revelation
12:00 - Chapter 2: The Security Training Fallacy
19:30 - Chapter 3: The Cyber Insurance Fallacy
27:00 - Chapter 4: The Dave Automation Fallacy
35:30 - Chapter 5: The MFA Friction Fallacy (+ Authentrend sponsor message)
42:00 - Chapter 6: The Vendor Relationship Fallacy
49:30 - Chapter 7: Hard-Hitting Wrap-Up & Framework
58:00 - Outro: Action Items & CTAs
Total Runtime: Approximately 62 minutes
Sponsored By
Authentrend - Biometric FIDO2 Security Solutions
This episode is brought to you by Authentrend, which provides passwordless authentication solutions that address the friction problem discussed in Chapter 5. Their ATKey products use built-in fingerprint authenticationβno passwords, no PIN codes, just five-second authentication that's both convenient AND phishing-resistant. Microsoft-certified, FIDO Alliance-trusted, and designed for small businesses that need enterprise-grade security without enterprise-level complexity.
Learn more: authentrend.com
Resources & Links
Mentioned in This Episode:
Rory Sutherland's "Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life"
Authentrend ATKey Products: authentrend.com
Episode 3: "Dave from IT - When One Person Becomes Your Single Point of Failure" (referenced in Chapter 4)
Useful Tools & Guides:
Download our Doorman Fallacy Decision Framework (PDF)
Template: Articulating Invisible Value in Budget Meetings
Checklist: Five Questions Before Cutting Security Costs
Case Study Library: Real-World Doorman Fallacy Examples
UK-Specific Resources:
ICO Guidance on Security Measures
NCSC Small Business Cyber Security Guide
Cyber Essentials Scheme Information
About Your Hosts
Noel Bradford brings 40+ years of IT and cybersecurity experience from Intel, Disney, and the BBC to small-business cybersecurity. Now serving as CIO/Head of Technology for a boutique security-first MSP, he specialises in translating enterprise-level security to SMB budgets and constraints.
Mauven MacLeod is an ex-government cyber analyst who now works in the private sector helping businesses implement government-level security practices in commercial realityβher background bridges national security threat awareness with practical small business constraints.
Support The Show
New episodes every Monday at Noon UK Time!
Never miss an episode! Subscribe on your favourite podcast platform:
Apple Podcasts
Spotify
Google Podcasts
RSS Feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml
Help us reach more small businesses:
β Leave a review (especially appreciated if you mention which Doorman Fallacy example hit closest to home)
π¬ Comment with your own efficiency optimisation horror stories
π Share this episode with CFOs, procurement specialists, and anyone making security budget decisions
π§ Forward to that one colleague who keeps suggesting cost-cutting without understanding the consequences
Connect with us:
Website: thesmallbusinesscybersecurityguy.co.uk
Blog: Visit thesmallbusinesscybersecurityguy.co.uk for full episode transcripts, implementation guides, and decision-making templates
LinkedIn: https://www.linkedin.com/company/the-small-business-cyber-security-guy/
Email:
[email protected]
Episode Tags
#Cybersecurity #SmallBusiness #SMB #InfoSec #CyberInsurance #MFA #SecurityTraining #ITManagement #BusinessSecurity #RiskManagement #DoormanFallacy #BehavioralEconomics #SecurityROI #UKBusiness #CostBenefit #SecurityCulture #IncidentResponse #VendorManagement #Authentrend #FIDO2 #PasswordlessAuthentication
Legal
The Small Business Cyber Security Guy Podcast provides educational information and general guidance on cybersecurity topics. Content should not be considered professional security advice for your specific situation. Always consult qualified cybersecurity professionals for implementation guidance tailored to your organisation's needs.
Copyright Β© 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.
Got a question or topic suggestion? Email us at
[email protected] or leave a comment below!
Ireland