I have spent the better part of two decades helping organizations understand their cyber risk. The tools have changed dramatically. The fundamental problem has not.
Risk Is a Business Decision, Not a Technical One
The most common mistake I see — from small businesses to Fortune 500s — is treating cybersecurity as an IT problem. It is not. It is a business risk problem that happens to have a technical component.
When I sit down with a CISO or a board, I am not there to talk about vulnerability counts or CVSS scores. I am there to help them answer one question: Given what you know about your threat environment and your current controls, what are you willing to lose, and what are you not?
That conversation is harder than it sounds. It requires honesty about crown jewels, about dependencies, about what recovery actually looks like after a ransomware event or a data breach. Most organizations have not had it.
The Compliance Trap
FISMA. FedRAMP. CMMC. NIST RMF. I have worked inside all of them. Compliance frameworks are useful — they create a baseline, a common vocabulary, a forcing function for organizations that would not otherwise prioritize security investment.
But compliance is not security. I have seen organizations with perfect audit scores get breached. The question is not "are we compliant?" It is "are we secure against the threats that are actually coming for us?"
The Human Element Never Goes Away
After twenty years, the one constant is this: the human element dominates. Phishing still works. Credential stuffing still works. Insider threat is still underweighted.
Zero Trust architecture is the right direction. Assume breach is the right mindset. But both require an organizational culture that treats security as everyone's job — not a tax imposed by IT.
Building that culture is the hardest and most important work in this field. It does not show up in a vulnerability scan. But it is the difference between organizations that recover from incidents and organizations that do not.