And CISOs, we have to stop pretending we’re victims in this. We’re not. We built this market with our buying habits. We rewarded noise. We chased innovation that didn’t align with our maturity. If we want the industry to change, we have to change how we spend. Buy less. Buy smarter. Invest in people, process, and architecture before you buy another platform. If you can’t patch, if you can’t control access, if your network is still flat, you don’t need another tool. You need discipline.
Security is not a tech problem. It’s an execution problem. And until we fix that, no amount of funding, AI, or new categories will save us.
I’ll keep buying what matters. I’ll buy what reduces real risk and strengthens the foundation. I’ll buy what makes us harder to breach and easier to recover. But everything else, the noise, the hype, the endless stream of tools that don’t fix the real issues, can stay on the shelf (or in your PowerPoint slides).
