The Same Story, Every Time

Spend enough time reading breach disclosures and post-incident reports and a pattern becomes obvious to you. The tools change. The attack methods evolve. The outcomes, however, are depressingly familiar.

It may look like this: A company is breached. Investigators uncover an unpatched system, excessive access privileges, or a third-party connection that should have been restricted years earlier. Public statements describe a technical failure. Internally, the real issue is always about decisions; ‘who made them,’ ‘who postponed them,’ and ‘who assumed someone else was responsible.’

That is why calling cyber risk a cybersecurity problem misses the point.

Controls vs. Choices

Cybersecurity is about controls. Cyber risk is about choices.

Security teams deploy tools, configure defenses, monitor alerts, and respond to incidents. What they rarely control are the business decisions that create exposure in the first place: whether systems can be taken offline for patching, whether risky vendor access can be limited, or whether speed to market outweighs security concerns.

Those are leadership decisions, even when they are disguised as technical constraints.

The Verizon Data Breach Investigations Report has shown this year after year. Most breaches stem not from sophisticated attacks, but from known weaknesses left unresolved - misconfigurations, stolen credentials, and vulnerabilities for which patches already existed. These are not failures of awareness. They are failures of prioritization.

When Everyone Owns Risk, No One Does

In many organizations, cyber risk exists in a gray zone. Security teams raise concerns, but they are framed as technical issues rather than business trade-offs. Risk exceptions accumulate because “there’s no alternative right now.” Temporary workarounds quietly become permanent.

Over time, exposure is normalized.

When an incident occurs, the familiar question appears: Why didn’t security stop this? The more important question is rarely asked: Who decided this risk was acceptable, and on what basis?

Often, no one can answer clearly.

Brian Krebs’ reporting has highlighted this pattern repeatedly. In many major breaches that have been made public, organizations have often known about vulnerabilities, sometimes years in advance, that attackers eventually targeted. The issue was not ignorance. It was inactivity. Fixing the problem would have required downtime, funding, or executive resolve leadership was not prepared to spend.

Governance Is the Missing Control

Modern technology environments have made this problem worse. Cloud services and third-party ecosystems have expanded attack surfaces beyond what security teams can directly control. The NIST Cybersecurity Framework 2.0 makes this explicit by separating governance from technical execution and emphasizing that risk management is an organizational responsibility.

Organizations that manage cyber risk well do not rely on heroics from security teams. They force risk decisions into the open. They require explicit ownership of accepted risk. And they revisit those decisions as conditions change.

Cybersecurity remains essential. But controls without governance are just optimism with a budget.

Cyber risk is not a cybersecurity problem. This issue stems from leadership, expressed via technology, and cannot be fixed simply by purchasing an additional tool.

References

1. Verizon. 2023 Data Breach Investigations Report.
2. Krebs, B. (2017). Equifax Breach Was Entirely Preventable. Krebs on Security.
3. Krebs, B. (2020). Who’s to Blame When Third Parties Get Breached? Krebs on Security.
4. NIST. (2024). Cybersecurity Framework 2.0, Govern Function (GV), Sections GV.RM and GV.OV.