Proactive cyber-security: no longer optional

The relentless influx of cyber-attacks has numbed organisations into complacency. Yet most of the damaging incidents we’ve seen aren’t because of groundbreaking new attack techniques. They’ve instead exposed an uncomfortable truth: organisations are coordinating poorly around cyber-risk. For example, ransomware, which has crippled many organisations, has been successful because leadership didn’t believe they could be a target or assumed that the controls embedded in regulatory requirements would be robust

 

When considering the adversary, attackers don’t reinvent the wheel. Despite all the rhetoric around AI being a dangerous new attack vector, most cyber-criminals succeed by exploiting known, pre-existing weaknesses. The issue with this is that it leverages the gap between cause and consequence and creates a dangerous sense of Active Inertia.

 

Removing Active Inertia from the cyber-equation

The largest cyber-threat isn’t the teen in the basement trying to retrieve an old Facebook password; it’s fragmented responsibility, misaligned incentives and Active Inertia.

 

Active Inertia is a concept from management theory that explains why successful companies fail. Faced with a seismic market shift, they don’t sit still. Instead, they accelerate the activities that worked in the past, getting busier, but not changing. In the modern day, this means trying to fix problems by accelerating the activities that previously worked. However, as most breaches exploit fundamentals that teams understand but struggle to fix, for example, poor passwords, unpatched systems and mismanaged identities, the issues persist.

 

Closing this gap requires more than new tools or better training. For true cyber-resilience, robust technical checks, such as continuous monitoring, incident detection and secure architecture, all matter. Alongside this, teams must work from the same instruction manual,

 

removing a culture of blame and unifying technology to break down silos across tools and the workforce. Without the right team culture, even the best tools can fall short. When it’s clear that security is a shared responsibility, behaviour will follow suit.

 

Blame culture destroys, amnesties build

Organisations that rely on cyber-security training and treat blame culture as a primary security control are set to fail. Employees will click links, make mistakes and misconfigure systems. That is inevitable. The real test is not whether someone falls for an attack, but whether security teams can proactively identify exposure and respond appropriately when it happens. After all, you wouldn’t blame the chickens for being eaten by a fox when it gets in the henhouse, you’d blame the poor defences.

 

Fault-driven cultures hinder transparency, delay reporting and increase risk. Practical initiatives, such as vulnerability amnesties, do the opposite. They encourage teams to surface and fix issues without fear.

 

With the right tools to manage exposures, vulnerabilities can be identified and prioritised before attackers exploit them. Ensuring security, IT and leadership have a shared view of risk and a clear path to solve the issue allows them to move from reactive to proactive resilience, making cyber-security a shared result driven by both mindset and people.

 

Unifying tools and teams to identify risk

As organisations adopt tools to advance efficiency and speed, cyber-risk becomes harder to understand. Tools and teams both become siloed. Technology, such as AI, is often introduced as a placebo, rather than finding an immediate solution. In fact, most organisations are unsure where AI is being used, who owns it, or how it interacts with the rest of the business.

 

This is where a unified platform becomes essential. Rather than adding more disconnected tools, organisations need a shared view of risk that brings together AI, cloud and broader exposure into a single, coherent picture. A unified platform allows teams to see how issues connect and focus collectively on what matters most. It also gives leadership, security and technical teams a common language. In modern environments, attackers don’t win by exploiting one technology at a time; they win by taking advantage of fragmented visibility and teams that are operating in silos.

 

Reducing risk long-term

When teams are working from the same understanding of risk, coordination improves and accountability becomes clearer.

 

For cyber-security teams to buy time and exhibit a shared vision across their organisation’s cyber-security landscape, Active Inertia needs to be replaced with a unified approach that adopts modern approaches to modern problems. Organisations that don’t adapt and work as a team risk falling victim to the most damaging of attacks.

 

---

 

Gavin Millard is Senior Vice President, EMEA at Tenable

 

Main image courtesy of iStockPhoto.com and sesame