Imagine a large security expo, actually any one will do. Neon lights, slogans and laser shows. It's flashy, trendy and "fresh." On one or more stages, yet another "layer" is presented, promising salvation from known and unknown threats. In the booths, graphs roll across concepts, buzzwords and much else that is barely pronounceable, let alone understandable to the uninitiated. There, in the dimness between keynotes, giveaways and coffee trays, a familiar mix of worry and relief arises: "It seems dangerous out there but at least someone has a package, a service or a consultant for it." This is also where it starts to really bother me. A significant part of the cybersecurity industry has learned to profit more from uncertainty than from security. This is a fact. But it is not out of malice; rather, economic forces have long pulled in the wrong direction. When the cost of flaws can be passed on to others, we underinvest in what truly reduces risk and overinvest in what looks good on the surface (Anderson, 2001; Bauer & van Eeten, 2009; Herley, 2009).
The old compliance-driven mindset has long dominated the market and made many service providers and consultancy firms very successful. Checklist in, certificate out, binders grow and audit trails shine. But beneath the surface, a cost spiral builds from modules, licences and consultancy rounds that do not necessarily reduce risk. They merely make it more managed. We have become world champions at showing promises of security but are worse at proving outcomes. And when reality knocks — a breach, a supplier disruption, a staffing gap — it matters less how many dashboards we have if we cannot find the fault quickly, close it, understand what went wrong and learn from it, and recover faster. Large outcome studies also point the same way: more gadgets and higher fragmentation rarely (or in far too many cases never) correlate with better results. What helps is integration and genuine capability in daily practice (Cisco, 2024; WEF, 2024).
Meanwhile, threats have moved in packs while we've stuck to the old ways. It is still people and the chains around us that open doors through social engineering, mishandled identities, and unrefined dependencies in the supply chain. This is not just my personal view; it is a recurring data point in European and global threat reports (ENISA, 2023; IBM, 2024; Mandiant, 2024). In other words: if you try to fill a leaking boat with more buckets instead of fixing the hull, you soon have an excellent stock of buckets but your feet are still wet.
Modern safety and security in digital ecosystems are thus no longer merely technical issues as they once were, but an incentive issue. Companies, suppliers, consultants and educators have all acted rationally within a logic that has long rewarded what is measurable on the surface. And this is reinforced by new frameworks on the same theme, new tools, more consultants and more administration. All of this is easier to sell than quiet improvement that takes time to notice. It is understandable that the industry ends up here, but unfortunately it is costly. And the costliest is for organisations that need to function when the pressure is on, where every unnecessary layer of complexity, every slow recovery, and every lack of everyday capability simultaneously lowers security and competitiveness. Organisations suffer while service and consultancy firms thrive.
I also see how policy, perhaps somewhat reluctantly, has been forced to the same conclusion. When US and European authorities push for secure by design/default, it is about shifting the burden upstream and making security a delivered feature, not an optional extra (CISA, 2023). When the EU introduces product requirements on software and hardware through the Cyber Resilience Act, it is precisely because voluntary promises were insufficient to send the right market signals (European Commission, 2024). And when European regulation for organisations in critical processes changes language from manual aesthetics to function in turbulence, it paints the same picture: outcomes trump promises (European Union, 2022). This is genuinely risk-driven, not compliance-driven. Not because anyone loves the word risk, but because someone must be able to bear it when things shake.
The question then is: why do we cling to the old ways? The answer is partly human. Checklists and certificates create a sense of control. They are the visible proof that we have "done something." But the price for that feeling is threefold. First, the total cost rises as tools and processes are layered faster than they are retired. It is still too common for an organisation to have too many tools doing the same thing, totally unnecessary. Second, a false sense of security is created where "everything was green" until it wasn't. Organisations have tools they do not master, understand or know how to use optimally. Third, we lose focus: threats, risk, vulnerability and capability fade into the background. And in today's geopolitical climate, the wrong focus is not just poor management, it is a strategic obstacle for the organisation (ENISA, 2023; WEF, 2024).
The risk-driven shift is, contrary to its dry tone, a source of hope. When the order shifts from threat to risk, to vulnerability, to capability, something practical happens. Integration wins over layering. Recovery time becomes a language everyone understands, from the shop floor to the boardroom. Incident reporting stops being a nerve-wracking exercise and becomes trained behaviour. And slowly the curves begin to point the right way: lower cost per reduced risk, higher actual resilience, fewer surprises. This is also where competitiveness is born. Customers and partners trust those who can demonstrate real continuity in practice more than those who show perfect binders in calm weather (WEF, 2024; OECD, 2015/2022).
Some may call this an utopian tone in the security industry. In a trust economy, everyone benefits more when risk goes down. Service providers gain long-term relationships by delivering peace of mind, not just layers in the stack. Consultants become indispensable when they simplify, integrate and serve reality. Buyers escape the endless feeling of being held hostage by the next licence renewal. And regulators can begin to measure what legislation actually aims to achieve: capability and not just form.
A touch of respectful humour along the way doesn't hurt. If "binder world championships" were an Olympic event, many of us would stand on the podium holding gold medals. The Olympic committee would be delighted, no doubt. But the competition that really matters in 2026 will be fought against the wind: can we take off, land and manage turbulence without losing altitude? That requires less showmanship and more craft. Fewer trophies and more signs of everyday discipline. Less uncertainty economy, more trust. And as far as I know, that event is not part of the digital security Olympics.
But I am convinced that the future merit of our industry lies precisely in what I try to highlight in this article. Not in continuing to package worry but in delivering real stability. Not in extending dependencies but in building robust relationships. Not in winning the next expo but in winning the next disruption. This is the direction that research, industry data and policy already point to, if we choose to read them as more than footnotes and then build business around it (Anderson, 2001; Bauer & van Eeten, 2009; Herley, 2009; ENISA, 2023; IBM, 2024; Mandiant, 2024; CISA, 2023; European Commission, 2024; European Union, 2022; WEF, 2024; OECD, 2015/2022).
It is also the direction that honours our customers, our communities and our shared digital everyday life. When we genuinely shift the compass from compliance to risk and from uncertainty to trust, more happens than a technical upgrade. We reclaim the purpose of cybersecurity — not to gather papers but to hold the world together when it shakes.
References
Anderson, R. (2001). Why information security is hard—An economic perspective.Proceedings of ACSAC.
Bauer, J. M., & van Eeten, M. J. G. (2009). Cybersecurity: Stakeholder incentives, externalities, and policy options.Telecommunications Policy, 33(11).
CISA. (2023).Secure by Design, Secure by Default.Cybersecurity and Infrastructure Security Agency.
Cisco. (2024).Security Outcomes Report.Cisco Systems.
ENISA. (2023).ENISA Threat Landscape 2023.European Union Agency for Cybersecurity.
European Commission. (2024).Regulation (EU) 2024/2847 – Cyber Resilience Act (CRA).
European Union. (2022).Directive (EU) 2022/2555 (NIS2).Official Journal L 333.
Herley, C. (2009). So long, and no thanks for the externalities: The rational rejection of security advice by users.IEEE Security & Privacy.
IBM. (2024).Cost of a Data Breach Report 2024.IBM Security.
Mandiant. (2024).M-Trends 2024.Google Cloud.
OECD. (2015/2022).Recommendation on Digital Security Risk Management.Organisation for Economic Co-operation and Development.
World Economic Forum. (2024).Global Cybersecurity Outlook 2024.
