There’s a special place in hell for the phrase “We think we’ve done enough.” That gem, usually dropped by well-meaning execs in pastel shirts and a state of wilful denial, tends to arrive just before one of two outcomes:
A minor miracle, or A full-blown breach that turns your long weekend into a forensic triage sprint featuring mystery packets, audit logs that read like a horror story, and a lot of people suddenly learning what a SIEM is.
Let’s not kid ourselves: most organisations don’t invest properly in security until things have already started burning. Pre-breach, the mood is somewhere between “We bought the thing, so we’re sweet, right?” and “I think we have something from that vendor… somewhere?” Meanwhile, your firewall policy is held together with hope and forgotten ACLs, and the threat actors are treating your environment like an unlocked minibar.
But hey — compliance was passed, so what’s the problem?
Act I: The Complacency Chronicles
Before the breach, there’s always the same warm, delusional feeling of safety. Tools have been bought. People have had awareness training. You might even have a playbook. Good for you. Somewhere in a SharePoint folder lies a lovingly crafted PDF titled Security Roadmap v1 FINAL_FINAL_THIS_ONE_USE_THIS.pdf — and that alone seems to soothe nerves in the boardroom.
But deep down, there’s a whisper: “Have we spent enough? Have we done everything we can?”
The answer? Probably not. You’ve done just enough to tick boxes — not enough to actually stop anything. But sure, let’s roll the dice and hope that nation-state adversaries respect ISO 27001.
Act II: The Breach (aka The Career-Limiting Event)
Then comes the moment. The alert. The weird traffic someone definitely should’ve seen earlier. The sudden realisation that that new “vendor demo account” had domain admin.
Panic ensues. People start using the word pivot incorrectly. Someone blames the intern. There’s shouting, Teams channels named “war-room-now,” and the sudden collective awakening that maybe, just maybe, your backup strategy wasn’t as “air-gapped” as advertised.
This is where the floodgates open — not just for data, but for budget. Magically, the funding you asked for 18 months ago is now available. There’s no time to argue. Just fix it. Make it go away. Also, could you make it look like it never happened?
Act III: The Proactive Era (aka The Sober Morning After)
After the breach post-mortem (read: corporate blame-passing session with catered sandwiches), the question shifts to “What’s next?”
Now, finally, the mood is all proactive. People want dashboards, frameworks, maturity curves, and a clear path to never again. It’s like joining a gym after a heart scare — the treadmill gets a lot of attention for the first two weeks.
This is the moment to push a smarter, sustained approach. The goal? Use the budget wisely before it evaporates into “business-as-usual” again. Here’s how to get the most from what you already have (and stop buying overlapping tools just because a sales guy said “AI”).
Tips from the Edge (Where the Wi-Fi’s Bad and the SOC’s on Fire):
1. Consolidate Vendors (aka Stop Collecting Infosec Pokémon)
You don’t need five endpoint tools, six dashboards, and a budget that reads like a Marvel crossover event. Fewer vendors = more buying power, fewer integration nightmares, and one less portal you forget the password for.
2. Review Features (aka Read the Damn Manual)
Your tools probably do more than you think. In fact, you may already own the thing you’re about to buy again. It’s like discovering your car has seat warmers after buying a heated cushion from Bunnings.
3. Ditch Overlapping Products (aka Stop Paying Twice for the Same Thing)
Running two tools that do the same thing? Pick a winner. Kill the duplicate. Pocket the savings. Bonus: your team might actually learn how to use the one that stays.
4. Leverage What You Already Own (aka Use the Stuff You Paid For)
Check your existing stack. There are features in there that could be activated with a tick box — but haven’t been, because someone was “waiting for phase two.” Activate them. Use them. Brag about them in meetings.
5. Negotiate Like a Bastard (aka Never Accept the First Quote)
Vendors want to sell. You want to buy. Somewhere in between lies the truth, preferably with a 20% discount and a free training subscription. Always ask for more. Especially if renewal’s coming up.
Final Thoughts from the Burnout Bunker
The best time to secure your environment was yesterday. The second-best time is right after a breach. But if you’re only thinking about this now because your SharePoint’s been ransomwared and your CEO just learnt what “lateral movement” means — well, welcome to the game.
Security isn’t just about tech. It’s about mindset. And unfortunately, the mindset usually arrives two days after the attackers do.
So: optimise what you’ve got. Challenge what you don’t need. And for the love of Tim Berners-Lee, stop pretending a PowerPoint deck with a castle diagram is a security strategy.
“Security isn’t something you buy once. It’s something you have to survive every day.”
– Anonymous, probably crying in a server room