Cybersecurity Is Broken — And It’s Our Fault

You come from a noble lineage.

The 1337 h4ck3rs, the elite hackers. Not criminals. Not compliance officers. Hackers in the original sense, tinkerers, breakers, builders. People who couldn’t resist pulling apart a system just to see how it worked, and then, if they were good, putting it back together better than they found it.

That mindset gave birth to cybersecurity.

The first defenders weren’t checking boxes. They were inventing them. They were weird, curious, obsessive, and brilliant. But somewhere along the way, we stopped trying to hack the system. We became the system. And now we’re stuck inside something we helped build, a sprawling, half-integrated mess of controls, dashboards, alerts, and assumptions.

This series is about tearing that apart, not for the sake of destruction, but to understand it and rebuild it stronger.

Hacking Cybersecurity: A Series for the Profession

This isn’t a rant. It’s a teardown.

Hacking Cybersecurity is a chance to do what we’ve done for every other vulnerable system, except this time, the vulnerable system is us. Our profession. Our field. The way we do cybersecurity.

We’re treating this like a pentest report for the industry.

We’ll highlight what’s broken, not just in tech, but in process, procedure, and mindset. We’ll point to poor integrations, unclear ownership, and brittle assumptions. And just like in any good penetration test report, we’ll offer remediation suggestions. Not just because we want to be right, but because we want to get better.

We Rushed It to Production

Here’s the uncomfortable truth: You know the problems we see in insecure code and misconfigured cloud networks? We did the same thing when we built our own field.

We rushed to production.

We duct-taped security onto businesses after breaches, after compliance mandates, after someone got scared. We focused on controls, not context. On tooling, not trust. We skipped the planning phase and launched straight into operations. And now we’re paying for it with technical debt baked into our job descriptions.

We criticize others for not threat modeling their architecture. But we never modeled ours.

We Focused on the Problem, Not the Point

We got very good at solving threats. We got even better at identifying risk. But we never made the business case for ourselves.

We didn’t focus on enabling the mission. We focused on protecting the perimeter.

And that makes sense. We were responding to a clear need. However, in the process, we often overlook the fact that the most effective security programs don’t just reduce risk. They accelerate value.

Security isn’t here to stop things from going wrong. It’s here to help the business do bold things safely.

But we rarely framed it that way. And the business noticed.

We Built Without Feedback

We never tested our assumptions with the actual users, our stakeholders in the business.

While product teams validated ideas through iteration and user feedback, we built static frameworks and assumed they were obvious. We didn’t measure what mattered to the board. We didn’t align with outcomes. We didn’t learn to speak the language of business impact.

And when the business didn’t “get it,” we blamed them.

The reality? We shipped a version of security they never asked for and couldn’t understand.

We Let Others Define Us

And so, the business filled in the blanks.

They saw us as overhead. They labeled us blockers. They described us with phrases like “cost center” and “necessary evil.”

That didn’t happen because executives are malicious. It happened because we never gave them a better frame.

We focused on being correct instead of being valuable. We chose precision over persuasion. We thought the tech was the hard part.

It wasn’t.

So What Do We Do Now?

We own it.

We acknowledge the architectural flaws. We accept that our current posture is the result of rushing, reacting, and building without alignment. And we start fixing it, just like we would any vulnerable system.

We begin with a mindset shift.

Security isn't valuable just because it's “important.” It’s valuable when it's integrated, explained, and applied in service of the organization's goals. It needs to be user-centered. In this case, the user is the business itself.

The path forward isn't more fear, more metrics, or more tools.

It’s clarity. It’s alignment. It’s influence earned through understanding.

What’s Next

In the next article, we’ll dissect the label that’s been used to hold us back for decades: “The Cost Center Curse.”

We’ll examine its origin, why it persisted, and how we can overcome it.

Spoiler: it’s not just that they called us a cost center. It’s that we’ve acted like one.

Stay tuned. The remediation plan is just getting started.