Cybersecurity is a beast. It has all the scary stuff in it — and it has crept into every part of life, the safety of our homes and our families and now, inseparably, our work.
And yet most of the money that goes into it is spent ad-hoc. It usually starts with an incident — yours, or one on the news that could have been yours — and from there it snowballs. Management is stressed, IT is under pressure, and someone makes a swift decision to buy a technology so it never happens again.
That instinct is human. It is also where the real risk begins.
Technology is never the solution
An ad-hoc purchase rarely has the skill and expertise behind it to make it work. The pressure passes, the organization drifts back to its old routines — and the tool stays. Now you own a technology nobody fully runs, with no clear owner, quietly becoming a risk of its own. Money that should have gone to calculated, deliberate business risk is instead pouring into shelfware.
The beast was never going to be tamed by a line item.
Blame, or a lesson
Every organization I have helped through an incident feels the same thing: personally violated. The questions are always some version of how did this happen to us? and, painfully, whose fault is this — is it mine?
From there, the aftermath goes one of two ways.
Blame comes from leadership that refuses to accept cybersecurity as part of the ordinary cost of doing business. A lesson comes from leadership mature enough to treat the event as experience earned — and experience, the real kind, comes from real events, not only from drills, however valuable drills are.
The strongest organizations I know are not the ones that were never hit. They are the ones that came out of it stronger than they went in.
Hacking is a business
Here is the part every decision-maker, especially at the top, should sit with: hacking is a business. A very profitable one.
In the round numbers I have used with boards for years, the commercial industry that defends organizations is worth a few billion a year. The criminal side — organized, well-run, relentless — is worth, by serious estimates, on the order of a thousand times more. It is not a fair fight, and you will not win it by trying to outspend them.
So don't. Winning a fight like this was never about quantity. It is about quality, creativity, and an ounce of chutzpah. Two moves matter more than any budget: be proactive — start today, don't wait for the call — and don't do it alone.
By will, not by bill
You cannot win this alone, however good you and your team are. You need allies. And there is a difference between a vendor and an ally.
You might call us a vendor — but if all we ever do is send you a monthly invoice, trust me, you do not want us beside you when it hits the fan. Allies are the ones who share your mission and your why, who learn the DNA of your organization until they become part of it — by will, and not by bill.
That is the whole difference between someone you bought, and someone who is genuinely on your side.
People are always the solution
After almost thirty years across military, national, and commercial security, I am certain of one thing: cybersecurity is never really about technology. Businesses run top-down — people set the processes, and processes choose the tools, not the other way around. Most organizations already own most of the technology they need; the weak spot is using it well.
So invest in your people. If you make someone responsible for your security, train them constantly. They are in the position of a combat soldier — either at war, or preparing for war. The more they train, the fewer mistakes they make on the day they are called to it.
That day will come for everyone. The only real choice is whether you face it alone and brittle, or beside people who already know your DNA — and come out the other side stronger than before.
← All insights