Cybersecurity’s Greatest Myths: Why More Spending Isn’t Saving Us

It’s the paradox at the heart of modern cybersecurity: organizations pour more money, talent, and technology into defending their digital borders, yet breaches keep rising in scale and cost. Behind the scenes, industry insiders are increasingly willing to admit a hard truth - the very ways we measure and manage security might be making things worse, not better.

At a recent Las Vegas panel titled “Hard Truths in Cybersecurity,” leaders from Microsoft, SolarWinds, Nationwide Building Society, and Fortalice Solutions sounded the alarm: the industry’s faith in metrics, checklists, and compliance frameworks is dangerously misplaced. “Every year, we do more, and every year, the results get worse,” warned Andrew Rubin, CEO of Illumio.

The first myth to fall: that doing more means getting safer. Theresa Payton, former White House CIO, argued that most companies measure security by activity - how many boxes are checked, not how much risk is actually reduced. This creates a dangerous illusion of safety and leaves organizations vulnerable to threats they never identified.

The second myth: that everything can be prevented. As attackers grow more creative and persistent, experts like Nationwide’s David Boda say security teams must focus as much on response and recovery as on prevention. “Getting a whole organization to respond and recover under pressure is really important,” Boda noted - especially since perfect defense is impossible.

Third, many organizations don’t truly understand their adversaries or threat models. Microsoft’s Sherrod DeGrippo points out that companies often make vague assumptions about attackers, failing to document or research real-world tactics. The rise of AI-powered tools means even lone actors can now operate with the reach of criminal syndicates, erasing old distinctions between amateur and nation-state threats.

Fourth, the industry’s love affair with new technology can be a trap. While AI promises to automate detection and response, it also supercharges attackers - giving “the power of a nation-state” to organized crime, as SolarWinds’ Tim Brown put it. Legacy defenses, like signature-based detection, are increasingly inadequate against modern, adaptive threats.

The final myth: that existing systems are properly configured and functioning. Most breaches result from unnoticed configuration drift or routine changes - not malice. The only solution, experts agree, is relentless auditing and testing. As Brown cautioned, “Don’t assume, don’t trust, verify.”

These revelations demand a reset in how organizations think about cybersecurity. True resilience means moving beyond activity for activity’s sake, questioning assumptions, and embracing a culture of continuous verification. Until the industry faces these uncomfortable truths, the gap between investment and real security will only widen.

WIKICROOK

• Threat Surface: The threat surface is all possible points where attackers can access or extract data from a system, making it crucial to minimize for better security.
• Threat Modeling: Threat modeling is the process of identifying assets, evaluating potential threats, and planning defenses to protect against cybersecurity risks.
• Configuration Drift: Configuration drift is the unintended change of system settings over time, leading to inconsistencies, security risks, and management challenges in IT environments.
• Signature: A signature is a unique pattern used by security tools to identify and block known cyber threats, like viruses or malware, through pattern matching.
• Auditability: Auditability is the capability to track and explain all actions in a system, helping organizations ensure security, transparency, and regulatory compliance.