Every major breach makes the same shape of headline. A company gets compromised, the attack vector turns out to be embarrassingly mundane, and analysts note that the victim had purchased adequate security tools but failed to maintain them. The story is so predictable that it has become almost boring, which is itself a sign of how badly the underlying problem is misunderstood.
Security gets sold as a product, deployed as a project, and treated as done. Real security is a discipline of constant attention, and the gap between those two framings is where most breaches happen.
The product fallacy
Vendors have an incentive to describe their tools as solutions. Buy this firewall, install this endpoint agent, subscribe to this monitoring service, and your problem is handled. The pitch maps cleanly onto how procurement departments think and how budgets get approved. It also produces a false sense of completion.
The tools are necessary. They are not sufficient. A firewall that hasn’t been reviewed in three years is protecting an old map of your network. An endpoint agent with stale rules misses the threats that emerged after deployment. Monitoring that nobody triages produces logs no one reads. Each of these failures is invisible until something breaks, at which point investigators discover that the technology was working as designed against threats that no longer matter.
What “constant process” actually looks like
The companies that do security well treat it like building maintenance. There are scheduled reviews of access permissions, regular patch cycles with documented exceptions, periodic tabletop exercises, and someone whose job includes asking whether last year’s assumptions still hold. None of this is glamorous, and none of it produces the kind of metrics that look good in board presentations.
The work is also unbounded. A defender has to be right continuously across a sprawling attack surface. An attacker has to be right once. That asymmetry means there is no point at which security can be declared finished. Organizations that recognize this build cadences of review and renewal. Organizations that don’t end up surprised when a breach traces back to a misconfigured S3 bucket from 2019 that everyone forgot existed.
The human layer is where it lives
Most successful attacks still begin with social engineeringโa phishing email, a phone call to a help desk, a credential stuffed from a previous breach. No tool eliminates that vector entirely, because the attack targets humans, and humans are reliably exploitable under time pressure. The countermeasures that work are training that gets refreshed, processes that don’t depend on individual judgment under stress, and authentication that can survive a successful phish.
Multi-factor authentication is the closest thing to a silver bullet the field has produced, and even it is only effective when deployed everywhere and not just on the executives’ accounts. Coverage gaps are where attackers concentrate.
Bottom line
Cybersecurity isn’t a thing you have. It’s a thing you do, repeatedly, forever. Treating it as a one-time purchase produces a predictable failure mode that the breach data confirms every quarter. The discipline is unglamorous, expensive, and the only thing that actually works.
Leave a Reply