Despite billions invested in advanced cybersecurity tools such as Extended Detection and Response (XDR), agentic AI, behavioral analytics, and zero-trust frameworks, breaches remain a persistent threat.
Technological advances can do little without the organizational and cultural mindset changes that are necessary to support them.
Leaders must think beyond technology and look to accountability and incentives to understand why their security programs are failing.
Two common attitudes that almost always lead to security compromises are, depending on the Shiny New Object, and/or staying firmly fixed with an incumbent because shifting to new tech is “hard.”
This article explores why the cybersecurity epidemic continues unabated, and what leaders must do to ensure they don’t fall victim to the ever-increasing spate of cybercrime.
Global cybersecurity spending is projected to reach $377 billion by 2028, with organizations adopting tools like XDR to integrate threat detection across endpoints, networks, and clouds. Many organizations are also implementing agentic AI to automate responses, behavioral analytics to identify anomalies, and zero-trust frameworks to enforce strict access controls.
However, breaches persist. They are being driven by the same human and organizational weaknesses seen years ago.
For example, Verizon’s 2025 Data Breach Investigations Report states that 60% of breaches involved a human element, such as phishing, social engineering, or human error.
Ransomware was present in 44% of the breaches analyzed, a 37% increase from the previous year. Little has changed in a decade, as we previously covered in our “Four Decades of Ransomware” webinar.
The data suggests that the industry is too focused on tool adoption over cultural evolution. For example, IBM’s 2024 Cost of a Data Breach Report notes that breaches involving stolen credentials, which are often tied to phishing or reused passwords, cost companies an average of $4.81 million.
Tools can detect threats, but without a culture that prioritizes security training and awareness, employees remain the weakest link.
CISOs often face a fundamental tension in their roles:
This unfortunate dichotomy shapes their mindsets and limits their effectiveness. As a result, they’re incentivized to be neither security-effective nor cost-effective because a success in one often leads to failure in the other.
Not all cybersecurity programs are costly, but when CISOs are pounded and interrogated about budget instead of security, they prioritize budget.
A 2024 CSO Online article reported that 77% of CISOs fear a major breach could cost them their jobs. The article covers the conflict that CISOs feel when security measures are canceled by the CFO because of budgetary concerns.
Lack of board support compounds the issue. Although 83% of CISOs regularly participate in board meetings, only 29% of the boards have a member with cybersecurity expertise, according to a Splunk report. The majority of boards (67%) disagree that CISOs should prioritize innovating with emerging technologies, despite most CISOs feeling this is necessary.
It seems CISOs are there primarily to plug gaps rather than challenge the status quo. Many CISOs are relegated to compliance-driven “box-ticking,” implementing controls to meet regulatory requirements instead of driving transformative change.
The Australian Institute of Company Directors notes that CISOs need top-down board support and backup to shift from gap-plugging to strategic risk management. Without this empowerment, CISOs are trapped in a cycle of reactive short-term fixes, unable to respond to the daily challenges of their roles.
The hard pill to swallow is that boards and executives aren’t holding themselves accountable for cyber resilience.
In industries where security is mission-critical, such as finance and healthcare, breaches are sometimes treated as reputational “rounding errors” rather than strategic failures.
IBM’s 2024 report shows healthcare breaches averaging $9.77 million, the highest across industries. The finance sector held the second spot with breaches hitting $6.08 billion.
Whereas healthcare and finance are indeed prime targets for organized cyberattacks, it’s also true that boards and management deprioritize cyber resilience.
Speaking anonymously on a global survey, 72% of CEOs admitted being uncomfortable about making cybersecurity decisions, often passing the buck to their teams. Despite all the CEOs admitting that they felt accountable for cybersecurity, 50% of European CISOs and 30% of US CISOs didn’t feel their CEOs felt accountable. The gap in perception reveals a significant divide in management about whose job cybersecurity is.
Again, it’s this culture mindset that stands as a roadblock to all cybersecurity efforts, no matter how good the technology is.
Establishing top-down accountability frameworks, similar to financial oversight, could force executives to treat cybersecurity as a boardroom priority. Without such structures, boards delegate responsibility to CISOs without providing the authority or resources needed for them to effectively do their jobs.
Cybersecurity is often treated as a non-revenue-generating cost center, leading to under-resourcing and reliance on cheaper tools or incumbent vendors to avoid disruption. This perception influences resourcing, hiring, and long-term planning for cyber resilience.
The IBM 2024 report shows that investing in employee training was the highest cost mitigator in a security breach, followed by investing in AI solutions. Both factors reduced the average breach cost by a quarter of a million dollars.
Yet, only 21% of executives report that they usually allocate cyber budgets to the organization’s top risks. In other words, 79% are not directing funds where the risk is greatest. This cost bias often results in understaffed teams and outdated systems that attackers are happy to exploit.
Security should be reframed as a resilience investment. By positioning cybersecurity as a driver of customer trust and regulatory compliance, organizations can justify increased budgets.
Reframing security as a strategic asset encourages long-term hiring of skilled professionals and investment in robust defenses rather than patchwork solutions that don’t make the grade.
Although we mention this point last, it’s extremely significant, especially in an AI age where we’re constantly being told that AI can do everything except tie our shoes—actually, we’re also being told that.
Even before the current generative AI craze, AI tools existed in cybersecurity. These tools leveraged traditional AI, based on machine learning and statistical models. They’re excellent aids to a robust cybersecurity posture. But they’re far from a silver bullet.
Sadly, too many in the industry place all their faith in automated tools that simply won’t make the grade without human support when it comes to sophisticated attacks.
A survey conducted by Gigamon reveals that 70% of CISOs believe that existing tools can’t detect threats as effectively without human oversight. Also, despite more investment in cybersecurity tools, 62% of companies in the UK lack confidence that they can withstand an attack.
A higher investment in tools doesn’t equate to a better security posture, if the accompanying culture and training aren’t in place as well.
Overreliance can lead to a false sense of security and dulled alertness to potential threats. The vendor ecosystem, with its “unicorns” and buzzwords like “AI-powered” and “zero trust,” only adds to the mythical belief that automation and AI will take care of everything.
Real defense posture requires unified strategies, employee training, and metrics that measure outcomes, not just tool deployment.
Most companies today have too many tools and not enough clarity. What’s missing is a strategic, managed, human-led operating model that brings it all together.
At SolCyber, we’ve seen companies with robust tech stacks fail due to fragmented strategies.
Our managed security offering addresses this by reducing complexity and building effective defenses. We offer programs across all aspects of cybersecurity, from non-invasive mobile device protection to full business coverage and even fast-track cyber insurance.
We provide a 24/7 SOC staffed by Level 2 analysts. Our responses are human-led until containment, using the latest tech tools to augment our ability to contain an incident.
We can work on our own or hand-in-glove with your cybersecurity team. To learn more about how SolCyber can help you, reach out to us for a free demo.
Photo by Markus Winkler on Unsplash
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
