When More Investment Produces Worse Outcomes
The cybersecurity industry has spent years pouring money into new tools, growing its workforce, and expanding budgets — yet the results continue to deteriorate. During a panel discussion held in San Francisco last month, five senior security leaders argued that the root cause is not attackers or technology alone. It is the set of foundational assumptions the industry refuses to abandon.
The panel, titled "Hard Truths in Cybersecurity: Fear, Liability, and the Industry's Biggest Lies," brought together a group of executives who have each operated at the highest levels of enterprise and government security. Their collective diagnosis was blunt.
"Every year, we do more, and every year, the results get worse. The number of breaches, the size of the breaches, and the economic losses have gone up."
That assessment came from Andrew Rubin, CEO of Illumio, who moderated the discussion. Joining him were Tim Brown, the former CISO of SolarWinds who guided the company through its landmark breach response and remediation; Sherrod DeGrippo, general manager of Global Threat Intelligence at Microsoft; Theresa Payton, CEO and founder of Fortalice Solutions and former White House CIO; and David Boda, chief security and resilience officer at Nationwide Building Society.
What emerged from the conversation was a clear-eyed breakdown of five persistent myths that continue to shape — and distort — how organizations approach security.
Lie 1: Activity Equals Progress
One of the panel's most pointed critiques targeted the way cybersecurity success is measured. Compliance checklists, activity-based metrics, and framework adherence have created an environment where organizations can look secure on paper while remaining dangerously exposed in practice.
Theresa Payton was direct: "I do believe that cybersecurity is fundamentally broken. It's measured in terms of activity instead of reduction of threat surface."
Payton argued that organizations need to rethink how they define success from the ground up, starting with how security controls actually affect real users and business operations. "We need to literally start with the human user story," she said, pointing to a persistent gap between security programs and the way employees and customers actually interact with systems.
She was equally critical of routine security awareness training, describing it as largely ineffective in its current form. "Your cybersecurity awareness training — they're snoozing, they're losing. So just reimagine, reenergize." Rather than periodic box-checking exercises, she recommended reinforcing secure behavior through incentives, recognition, and weaving security directly into everyday workflows.
Lie 2: Prevention Is Achievable at Scale
The assumption that a sufficiently invested organization can prevent every attack was another target of the discussion. Payton acknowledged plainly that complete protection is not realistic. "You cannot protect everything," she said, adding that this reality demands a clear understanding of what actually matters most — the organization's data, core business processes, and what she called its "crown jewels."
For David Boda of Nationwide Building Society, this shift is already reflected in how his team allocates its time. "I spend like 50% of my time on response and recovery, not because we get hit every day, but because that's really hard to do right," he said.
Building the muscle to respond under genuine pressure and restore operations quickly requires more than adding controls. It demands coordination across the entire organization and repeated practice under realistic conditions. "To get a whole organization to respond and recover effectively under pressure is really important," Boda added, emphasizing that repeatable processes and cross-team coordination are what actually close the gap.
Lie 3: Organizations Actually Understand Their Threats
Sherrod DeGrippo identified a significant gap between how organizations talk about threat modeling and what they actually do. In many cases, threat intelligence exists only as a vague concept rather than a documented, researched discipline.
"People talk a lot about threat models, but they don't actually have anything written down. They haven't actually done the research," DeGrippo said.
She also pushed back on the idea that attribution should drive response priorities. Whether an attack is financially motivated or backed by a nation-state, the tactics are frequently similar, and the consequences are the same once an attacker gains access. The distinction between threat actor categories matters far less in practice than how quickly an attacker can establish and maintain a foothold.
DeGrippo also highlighted the emergence of a growing third category of threat actors: socially motivated individuals. With artificial intelligence dramatically lowering the barrier to entry, a single person can now operate with the scale and persistence that once required the resources of an organized group. That development means defenders need to focus less on identifying who is attacking and more on shrinking the window of opportunity available to any attacker.
Lie 4: More Technology Will Solve the Problem
AI is accelerating the capabilities of both defenders and attackers simultaneously, making technology acquisition an incomplete answer. The panelists agreed that while AI is already capable of automating significant portions of detection and response workflows, it is not yet ready for full automation. Payton urged organizations to prioritize building auditability, visibility, and control before expanding automated systems further.
Tim Brown of SolarWinds underscored how AI has fundamentally altered the economics of attack. "An agent doesn't get tired. An agent can read emails for a year and slowly go after things." What once demanded sustained human effort and significant resources can now be maintained indefinitely at minimal cost.
"Technology has put the power of a nation-state in the hands of organized crime," Brown said.
David Boda added that many organizations continue to rely on legacy approaches — signature-based detection and traditional data loss prevention tools — as though those controls are sufficient against the full range of modern attack scenarios. While they still have a role, treating them as a complete solution leaves significant exposure unaddressed. Organizations need to stress-test their defenses against real-world attack patterns rather than assuming historical tools will hold.
Lie 5: We Know What's Actually Working
The final assumption the panel challenged was perhaps the most quietly dangerous: the belief that security configurations are functioning as intended. According to the panelists, most security failures do not stem from sophisticated attacks alone — they emerge from routine changes, increased access permissions, and configuration drift that goes unnoticed over time.
Continuous auditing and environmental testing are essential for catching the kinds of risks that traditional scans and periodic assessments miss. Security cannot be treated as a state that, once established, simply persists. It must be continuously validated.
Tim Brown distilled it simply: "Don't assume, don't trust, verify."
A Common Thread
Across all five areas, the panel converged on a common theme: the industry has been rewarding the appearance of security over the reality of it. Metrics that measure activity, checklists that confirm compliance, and tools that generate alerts without reducing exposure have collectively created a false sense of progress.
The path forward, as these five leaders described it, requires organizations to rebuild their measurement frameworks around outcomes — reduced attack surface, faster recovery, verified configurations, and genuinely informed threat models — rather than the volume of activity that security teams can report upward. Until that shift takes hold, more spending and more tools will continue to produce more of the same results.
Source: Dark Reading