TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security AI-Assisted Supply Chain Attack Targets GitHub AI-Assisted Supply Chain Attack Targets GitHub by Jai Vijayan Apr 6, 2026 3 Min Read Vulnerabilities & Threats Fortinet Issues Emergency Patch for FortiClient Zero-Day Fortinet Issues Emergency Patch for FortiClient Zero-Day by Rob Wright Apr 6, 2026 3 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyber Risk Cybersecurity Analytics Cybersecurity Operations Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Lies, Damned Lies, and Cybersecurity Metrics A panel of five C-suite leaders discuss how cybersecurity success is measured and why it isn't improving results. Joan Goodchild , Contributing Writer , Dark Reading April 7, 2026 4 Min Read Source: Paulaphoto via Adobe Stock Despite years of increased spending, investments in more tooling, and more talent flooding into the industry, cybersecurity outcomes seem to be getting worse. During a panel discussion in Las Vegas last month, a group of cybersecurity leaders said the problem runs deeper than attackers or technology. The panel, titled "Hard Truths in Cybersecurity: Fear, Liability, and the Industry's Biggest Lies," focused on what's broken in cybersecurity. "Every year, we do more, and every year, the results get worse," said Andrew Rubin, CEO of Illumio. "The number of breaches, the size of the breaches, and the economic losses have gone up." SolarWinds CISO Tim Brown, Microsoft deputy CISO Sherrod DeGrippo, CEO and founder of Fortalice Solutions and former White House CIO Theresa Payton, and Nationwide Building Society chief security and resilience officer David Boda discussed the disconnect between investment and outcomes. What emerged from the discussion was a set of assumptions the industry continues to rely on for successful defense, even as the results suggest otherwise. Related: Shadow AI in Healthcare Is Here to Stay Lie 1: Activity Equals Progress There is a misalignment in how cybersecurity is measured and managed. "I do believe that cybersecurity is fundamentally broken,"Payton said. "It's measured in terms of activity instead of reduction of threat surface." The emphasis on checklists, metrics, and compliance frameworks, rather than outcomes, has created a system where organizations can appear secure on paper while remaining exposed in practice. Organizations need to rethink how they define success, starting with how security controls actually affect users and business operations."We need to literally start with the human user story," Payton said, pointing to the disconnect between security programs and how employees and customers interact with systems. Many security awareness programs have also become routine and ineffective. "Your cybersecurity awareness training — they're snoozing, they're losing. So just reimagine, reenergize." Instead of periodic training, Payton suggested reinforcing secure behavior through incentives, recognition, and integrating security into everyday workflows. Lie 2: We Can Prevent Everything If prevention falls short, what's next?"You cannot protect everything," Payton said, noting that means understanding what matters most to the organization — not just systems, but data, business processes, and the company's "crown jewels." For Nationwide's Boda, that shift is already reflected in how security teams operate."I spend like 50% of my time on response and recovery, not because we get hit every day, but because that's really hard to do right," Boda said.Building the ability to respond under pressure and restore operations requires coordination across the organization and repeated practice."To get a whole organization to respond and recover effectively under pressure is really important,"Boda said.That requires building repeatable processes and coordination across teams, not just adding more controls, he added. Related: Why a 'Near-Miss' Database Is Key to Improving Information Sharing Lie 3: We Understand Our Threats Microsoft's DeGrippo noted a gap in how organizations approach threat modeling. In many cases, they are operating on assumptions about how attacks happen. "People talk a lot about threat models, but they don't actually have anything written down," DeGrippo said. "They haven't actually done the research."Security teams need to be prepared for attacks from all parts of the threat landscape. Regardless of motive, by the time attribution happens, the attacker is already inside. The distinction between different threat actors matters less in practice, DeGrippo said. Whether an attack is financially motivated or nation-state backed, the tactics are often similar and the outcome is the same once access is established.DeGrippo also noted a growing third category of attacker: socially motivated actors. With artificial intelligence (AI) lowering the barrier to entry, a single individual can operate with the scale and persistence once associated with more sophisticated groups. That means security teams need to focus less on who the attacker is and more on how quickly the attacker can gain and maintain access. Related: With Government's Role Uncertain, Businesses Unite to Combat Fraud Lie 4: More Technology Will Fix It AI is accelerating both sides of the equation, forcing organizations to decide how they are going to use it. The technology is already capable of automating large parts of detection and response, but it is not yet ready for 100% automation, Fortalice's Payton said. Organizations should focus on building auditability, visibility, and control before expanding automation further.At the same time, those same capabilities are reshaping the threat landscape."An agent doesn't get tired," SolarWinds' Brown said. "An agent can read emails for a year and slowly go after things."That kind of persistence changes the economics of attack. What once required significant resources can now be sustained indefinitely. And AI's impact is already visible."Technology has put the power of a nation-state in the hands of organized crime," Brown said.Many organizations still rely on legacy approaches, such as signature-based detection and traditional data loss prevention. Those controls continue to have a role but are often treated as sufficient when they are not, Nationwide's Boda said. Organizations need to evaluate how those defenses perform against real-world attack scenarios. Lie 5: We Know What's Working Another often-incorrect assumption is that systems are configured correctly. In most cases, the security issues are not the result of malice. The issues often come from routine changes, such as increased access or configuration drift that no one noticed. Teams need to continuously audit and test environments to catch risks that traditional scans miss. Security must be treated as something that is continuously validated, not assumed to be working."Don't assume, don't trust, verify," Brown said. About the Author Joan Goodchild Contributing Writer, Dark Reading Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. See more from Joan Goodchild Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN More Webinars Edge Picks Application Security AI Agents in Browsers Light on Cybersecurity, Bypass Controls AI Agents in Browsers Light on Cybersecurity, Bypass Controls Cyber Risk Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks Latest Articles in The Edge Cyber Risk Shadow AI in Healthcare Is Here to Stay Apr 6, 2026 | 4 Min Read Data Privacy Inconsistent Privacy Labels Don't Tell Users What They Are Getti