Work cultures and office politics are what's failing cyber security

The technical aspects of cyber security are pretty much resolved.

The industry knows how adversaries breach networks, and we have proven techniques, technologies and procedures to stop them.

So why do breaches keep happening?

Why is it that even though large enterprises spend millions on cyber security, they can fail at even executing the basics?

My experience says that 95% of enterprise cyber security is about dealing with office politics and dysfunctional work cultures:

  • Enterprise-wide uplift projects are never seen to completion and rarely achieve their intended outcomes
  • Roadmaps and strategies are inconsistent at best, undefined at worst
  • Instead of training people to be extraordinary, people are trained to be complacent
  • Employees are promoted for playing the political game, not the security game
  • Leaders talk big but act small – when they act at all

In the end, most people simply give-up.

When people give up, it doesn’t matter how much money you throw at a problem.

Benjamin Mossé