It’s Time to Stop Accepting Losses in Cybersecurity

Written by

Cybersecurity is in a state of emergency. Attacks are increasing in scale, frequency, and sophistication, yet organizations still struggle to take decisive action.

Instead of confronting threats head-on, many hide behind outdated notions of “risk management,” a term that has become a crutch and an excuse for inaction.

The word “risk” gives organizations the wrong idea and the false belief that cyber threats can be categorized and controlled.

Organizations must realize that cyber threats aren’t just hypothetical risks, but immediate dangers that must be treated with urgency. And they’re costing businesses dearly. Research from the Ponemon Institute found that 58% of organizations had to shut down operations following a ransomware attack, up from 45% in 2021.

The problem is the idea of risk makes it seem like cyber threats can be calculated and assessed by analysts in ivory towers. In reality, cybercriminals don’t work from actuarial tables, nor do they care about probabilities.

They act. And they win. And they won’t change their behavior until we change ours.

I’m all too familiar with successfully changing the debate in cybersecurity, having founded Zero Trust over 14 years ago. At the time, the idea was met with scepticism – few understood its long-term significance. However, fast forward to today and it’s being adopted by governments, regulators and businesses as a proven way to strengthen cyber resilience. In fact, 72% say they plan to or are currently deploying a Zero Trust initiative.

It’s now time for me to look to my next challenge: reframing the cybersecurity conversation entirely.

We must stop talking about risk and start talking about danger.

Stop Using Risk Management as an Excuse for Inaction

In my view, the term “risk” for organisations has become an excuse for failing to act and for acceptable losses.

This way of thinking allows executives to rationalize inaction and avoid making tough and necessary decisions. Risk management in cybersecurity now goes hand in hand with compromise and the acceptance that some level of failure is inevitable. But this mindset is working in favor of the adversaries we try to keep out.

Cybercriminals don’t care about our risk. Instead, they are focused on one thing and one thing only: breaking into a network and achieving their goals.

As a result, the question we should be asking isn’t “How much are we willing to lose?” It’s “How do we make sure we lose nothing?”

Traditional risk management has created a frustrating culture of complacency. It encourages organizations to weigh costs when they should be prioritising security.

Because of this mindset, we see boardrooms filled with people who believe they are safe simply because their insurance premiums have gone down. It creates a culture where cybersecurity is seen as a balancing act rather than what it truly is: a fight for survival.

Danger, on the other hand, doesn’t invite discussion or debate but instead demands immediate action.

If we want to stop treating cyber threats as acceptable losses, we need to abandon the passive mindset of risk management and replace it with a culture of relentless and aggressive defense.

A Personal Wake-Up Call to the Reality of Danger

I realized this mindset change from a place far removed from the world of cybersecurity.

My nephew, Steven Danger Kent, is living proof that danger is not something to be analyzed but confronted head-on.

At just four years old, Steven was diagnosed with neuroblastoma, an aggressive childhood cancer. The odds of him even contracting the disease in the first place were 1 in 22,000. His chances of survival were even slimmer, just 2%.

But as my wife said during Steven’s battle: “God doesn’t believe in probabilities. And neither should we.”

Steven didn’t fight based on his chances of survival; he fought because he had to. Today, at 16 years old, he’s here to prove that danger can be overcome not through calculation, but through relentless determination.

That’s the mentality we need in cybersecurity.

Our adversaries, whether it be cybercriminals or nation-state hackers, aren’t waiting for us to conduct risk assessments. They act, and far too often, they win. This is because we’ve convinced ourselves that some level of loss is acceptable.

Use Danger Management to Secure What Matters Most

As security expenditures increase and more is lost to adversaries, the solution to this problem isn’t reforming our risk models; it’s completely overhauling our approach to cyber-attacks.

We must stop managing risk and start managing danger.

The military is a great example of where this mindset is really effective. The fast-paced situations that occur while under attack from an enemy don’t require a risk assessment but a strategy that moves with urgency, discipline and precision. And as the lines between physical and cyber warfare continue to blur, we must adopt this mindset in cybersecurity.

This mindset is also seen in how the Secret Service protects the US President. Instead of relying on abstract risk models, they build layers of proactive defense around the President in order to keep threats at a distance while continuously monitoring for danger.

The Secret Service doesn’t just place defenses at the perimeter, either. Instead, it ensures that security controls are as close as possible to the asset that matters most.

That’s exactly how Zero Trust works. It realizes the importance of securing what’s most valuable with precision, segmentation and constant enforcement.

Just as the Secret Service assumes every bystander could be a threat, we must assume that every network interaction could be compromised and that threats are already inside our networks.

There is no “acceptable loss” in Zero Trust. That’s what danger management looks like in action.

Erase Risk Management, Embrace Danger Management

This isn’t just semantics. It’s about reprogramming how we think, talk and act in the face of threats.

It’s about shifting from passive observation to proactive defense.

Words matter. They shape culture, mindset and ultimately, action. If we continue to see cybersecurity through the lens of risk, we will continue to lose.

But if we embrace the reality of danger, we will start to fight back the way we should—with urgency, aggression and an unrelenting commitment to stopping our adversaries before they ever get the chance to strike.

The time for risk management is over. The era of danger management must begin now.

What’s hot on Infosecurity Magazine?