In the chaotic, caffeine-fuelled trenches of cybersecurity, there’s a quiet paradox that haunts even the most seasoned professionals. It’s the kind of irony that sneaks up on you at 2am while you’re patching something critical… again. Despite all the firewalls, zero-trust architectures and AI-powered threat hunters, we must confront an uncomfortable truth: sometimes, the real threat isn’t lurking in some dark web forum, it’s in the mirror.
We have met the enemy and he is… wearing a lanyard. Pogo said it best: “We have met the enemy and he is us.” And he wasn’t even trying to configure an MFA policy.
In cybersecurity, the challenge isn’t just the malicious outsiders. It’s the well-meaning insiders, ourselves, who are juggling impossible demands, outdated documentation, half-baked strategies, and a to-do list that includes both ‘implement quantum-safe crypto’ and ‘answer Alice’s email about her VPN token not working.’ No single cyber pro can know it all and yet we’re expected to speak fluent firewall, threat intel, compliance frameworks, risk calculus, DevSecOps and office politics.
The Knowledge Hydra for the Cyber pro is the dilemma where learning one new concept spawns two more unfamiliar ones, creating an endless, multiplying challenge of staying current in a field that moves so fast that today’s best practice is tomorrow’s root cause. And while specialists exist, even they spend a good chunk of their time squinting at new acronyms wondering if they’re a threat or a product launch.
Worse, the cybersecurity ecosystem suffers from a cultural allergy to saying “I don’t know.” No expert advisor wants to tank a working relationship by insisting the organization must pause and plan. So to many advisors simply nod along, sprinkle some buzzwords, and agree to secure the cloud with… feelings? Chose your advise wisely and avoid confirmation bias in your election.
Without explicit objectives, clear roles and well-defined outcomes, security programs become haunted houses of good intentions where strategy goes to die. We end up building incident response plans that no one rehearses, policies no one reads and threat models that assume attackers follow the same logic as procurement, so we spend millions on black holes where logs go to die that we spend hours staring into, it’s a very modern mirage that many managed service organisations feed on.
And this is where the paradox hits hardest, we want to secure everything, but we don’t slow down to secure something. So we improvise. We multitask. We duct tape. We hope the attacker is slightly more confused than we are… wrong. Attackers have often greater emotional control, objective outcome focus, patience and tenacity to challenge the status quo and of course an agility from operating outside the straitjackets of regulation and compliance (not to overlook the elective self-imposed compliance friction manifested by years of bureaucratic organisational officialdom).
It’s time we embrace the Pogo Doctrine and looked inward. Not with despair, but with humour, humility and a touch of professional self-reflection. We, the cyber folks, must make peace with our fallibility. Ask the dumb questions or ourselves and our businesses outcomes. Admit when the plan doesn’t exist. Create space for alignment before the next shiny threat vector takes over the meeting and we digress to a fallible norm (regression to the mean) and reach for technology in some vain hope there is some silver in the bullet.
Because if we don’t confront the enemy within, the assumption that we must know it all and do it all, we’ll keep reinforcing the very vulnerabilities we’re trying to eliminate as the human behavioural gravitational pull of reverting to the norm inevitably wins.
So let’s raise a (sanitized) hand and say it together, “I don’t know everything and that’s okay”. Now let’s go build a security culture that’s a little more honest, a little more human and a whole lot more resilient.
After all, cyber isn’t just about firewalls. Sometimes, it’s about facing your own reflection in the blue screen of truth.
Posted on May 3, 2025
0