Skip to content
Cybersecurity

The Future of Cybersecurity: Why People Still Beat Technology

Cybersecurity spending crossed two hundred billion dollars. Breaches went up anyway. If technology were the answer, we would already have the answer.

The takeaways

  1. 01The stack keeps getting better. The outcomes are not keeping pace because the constraint is human, not technical.
  2. 02Most breaches still start with a person clicking, misconfiguring, or being socially engineered.
  3. 03Zero trust, XDR, and AI are useful tools, not strategies. A strategy includes the people who run them.
  4. 04Talent shortage is real, but it is also a symptom of how the industry hires and develops people.
  5. 05The teams that will win the next decade are the ones who invested in communication, judgment, and ownership, not just licenses.

Every year the analyst firms publish the same chart with a different label. Global cybersecurity spending is up. Breach counts are up. Average dwell time is down a little, average breach cost is up a lot, and the gap between attacker capability and defender readiness has not closed. If you held the chart up next to one from 2015 and swapped the dates, most people would not notice.

That is the part the vendors do not want to talk about. The technology keeps getting better. The outcomes are not. There is only one variable left to look at.

The technology is doing its job

This is not a complaint about the tools. Modern EDR catches things signature antivirus never would have. Cloud-native SIEMs ingest volumes that would have crushed an on-prem deployment a decade ago. Zero trust architectures genuinely reduce blast radius. Identity providers have made MFA something a non-technical user can actually live with.

If you graded the technology in isolation, the industry has made real progress. The problem is that you do not get to grade it in isolation. The technology lives inside organizations, run by humans, against attackers who are also human.

Where the breaches actually start

Look at the post-incident reports for the last twelve months. The opening move is almost never a novel zero day. It is a phishing email a tired person clicked, an S3 bucket someone left public, a third-party token that was never rotated, an MFA fatigue prompt that finally got approved at two in the morning, a developer who pasted a secret into a public repo, or a help desk that reset a password for someone they should not have.

The technology was there. The technology often even flagged it. Someone closed the alert, or no one was watching, or the runbook said escalate and there was nobody on the other end of the escalation.

The talent problem is a people problem in disguise

The industry has been telling itself there is a talent shortage for a decade. There are roughly four million unfilled cybersecurity roles globally. That number does not move much no matter how many bootcamps run.

A shortage of bodies is not the real issue. The real issue is that the industry hires for the wrong things, then wonders why retention is bad and burnout is high. Job descriptions ask for ten years of experience in a tool that has existed for four. Interviews test trivia instead of judgment. New hires are dropped into a SOC, handed a queue, and asked why they are not communicating better with the business they have never been introduced to.

Fix the people pipeline and the tools start to actually return what you paid for them.

What the next decade actually rewards

The security programs that will look good in 2035 are not the ones with the biggest stack. They are the ones that did three unglamorous things at the same time.

They built communication into the role. The analyst who can explain risk to a product manager in two sentences is worth three analysts who cannot. This is a teachable skill that almost nobody teaches.

They made ownership clear. Every alert has a name on it. Every system has a name on it. Every decision to accept a risk has a name on it. Ambiguity is where breaches live.

They invested in judgment. Tools surface signals. Humans decide what they mean. The teams that practice that decision-making, in tabletop after tabletop, get faster at it. The teams that just buy more tools do not.

This is the entire premise of the Secure Methodology and of The Smartest Person in the Room. The technology is necessary. It is not sufficient. The variable that has been ignored the longest, the human one, is the one with the most upside left.

The future of cybersecurity is not a smarter tool. It is a team that knows how to use the smart tools it already has.

“Every new layer of technology eventually meets a human, and that human becomes the decision point. You can either prepare them or pretend they do not exist.”

Frequently asked

Christian Espinosa, headshot

About the author

Christian Espinosa · Founder, Blue Goat Cyber · Author · Speaker

Cybersecurity entrepreneur, author of The Smartest Person in the Room and The In-Between, 24x Ironman, aspiring Skip Barber Formula 4 driver, and lifelong metalhead. Creator of the Secure Methodology, a people-first framework for building cyber teams that actually perform.

Keep reading