You Don’t Get Out Of A Cybersecurity Mess By Writing A Check
The reality of today’s landscape offers a harsh truth: Security is not a product you purchase, but a responsibility you share.
- Forbes Tech Council article asserts that security is a shared responsibility, not a product, urging organizations to shift from tool-buying to culture-building.
- Verizon's 2025 Data Breach Investigations Report found that 85% of data breaches involve a human element, highlighting the limits of technology-only solutions.
- Global cybercrime damages reached an estimated $10.5 trillion in 2025, according to Cybersecurity Ventures, despite record spending on security tools.
- The Colonial Pipeline and SolarWinds attacks each cost over $100 million and originated from basic security oversights, not lack of advanced products.
- SEC and global regulators are now mandating that companies disclose cybersecurity risks and practices, pushing toward a shared responsibility framework.
A leading cybersecurity expert writing for Forbes warns that organizations are trapped in a vicious cycle of buying new tools while ignoring the root causes of breaches. This op-ed argues that true security emerges from collective accountability, not from cutting checks for the latest firewall or endpoint detection system.
Why now? Cyberattacks have reached an all-time high. In 2025, global cybercrime damages were projected to hit $10.5 trillion, according to Cybersecurity Ventures. Meanwhile, the 2025 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element—phishing, misconfiguration, or credential theft. Companies have responded by pouring money into technology, yet the problem worsens.
The Forbes article points to a fundamental disconnect: many organizations treat cybersecurity as a checkbox compliance exercise rather than an ongoing, company-wide commitment. It highlights that even sophisticated tools fail when employees lack awareness, leadership doesn't prioritize risk, and budgets flow to gadgets instead of training and processes.
Specific examples include the Colonial Pipeline ransomware attack in 2021, which originated from a single compromised password, and the SolarWinds supply chain breach, where a lack of vendor oversight led to widespread damage. Both incidents cost hundreds of millions—not for lack of technology, but for lack of shared vigilance.
Analysis from industry observers suggests that the cybersecurity industry itself bears some blame. Vendors market products as silver bullets, creating a false sense of safety. Experts now advocate for a "shared responsibility model" where every employee, from the CEO to the intern, owns a piece of security. This includes regular training, incident response drills, and fostering a culture where reporting mistakes is rewarded, not punished.
Looking ahead, the article signals that regulators are increasingly emphasizing organizational accountability. The SEC's 2023 cybersecurity rules already require public companies to disclose breaches and detail their risk management processes. Similar mandates are emerging in the EU and Asia. The message is clear: writing a check will not suffice. The future of cybersecurity hinges on embedding security into the fabric of every business decision, not just the procurement department.
Frequently Asked Questions
The shared responsibility model means that security is not solely the job of the IT department. Everyone in an organization—from executives to entry-level employees—plays a role in protecting data, systems, and networks. This includes following policies, reporting incidents, and staying vigilant against threats.
Cybersecurity is not a product because buying tools alone cannot prevent breaches. Technology can help detect and block threats, but human error, weak processes, and poor culture often create vulnerabilities that tools cannot address. Effective security requires continuous training, governance, and shared accountability.
Organizations can improve security culture by providing regular, engaging training for all employees, encouraging open reporting of mistakes without punishment, integrating security into business processes, and ensuring leadership models secure behaviors. Recognition and incentives for good security practices also help.
Ignoring shared responsibility can lead to costly data breaches, regulatory fines, reputational damage, and loss of customer trust. For example, the 2021 Colonial Pipeline ransomware attack cost over $4 million in ransom plus millions more in recovery, and the SolarWinds breach affected 18,000 customers, costing hundreds of millions.
Regulators like the SEC require public companies to disclose cybersecurity incidents and describe their risk management strategies. The EU's NIS2 Directive and other regulations mandate that organizations implement comprehensive security measures and assign clear accountability. Non-compliance can result in heavy fines and legal action.
Topics
Original source
www.forbes.com
Discussion
Join the discussion
Sign in to post a comment or reply.
No comments yet. Be the first to share your thoughts!