You’ve surely been on the receiving end of sage advice on how to change habits. You’ve heard something like ‘identify a specific goal’ or ‘start small’. The bit of advice you’ve likely never heard is ‘buy this expensive, complex gadget and let it fix everything for you’. It’s because that doesn’t work. Yet, businesses just like yours forget this when it comes to information security. They spend lavishly on NextGen Firewalls that will never be fully configured and SIEMs that no one will be monitoring six months from now, while forgetting that a dozen daily-use accounts have Domain Admin privileges and three IT managers’ M365 accounts are Global Administrators. A classic case of locking all the windows and leaving the front door wide open.
We’re all susceptible to this trap. It’s easy to buy stuff, it’s difficult to do stuff. It’s a simple truth I was reminded of recently when I started hiking a nearby trail every Sunday morning, trying to spend more time in nature. After a couple of Sundays, I started researching carbon fiber trekking poles and a high-end backpack – tools that I ‘just knew’ would upgrade my experience on the trail. Just like that, I was caught in the trap – trying to buy capability rather than put in the hard miles to build a good habit.
That isn’t to say that carbon-fiber poles or NextGen Firewalls aren’t excellent tools, but they’re only a part of the solution. The greater part is a well-planned process consistently executed with meticulous discipline. The process will always depend on quality tools, but products alone don’t create security. No firewall, no email security platform, no endpoint protection is perfectly secure against all the threats your organization faces. Companies with deeper pockets than yours have proven it’s possible to be breached even with state-of-the-art tools deployed.
Rethink Security
Let’s shift our thinking about data security. If there’s no way to ensure complete threat avoidance – and there isn’t – start thinking in terms of risk management. Understand the risks your business faces and build a plan that addresses those risks with multiple lines of defense. Know that products will fail and build in redundancy that protects against those failures. Remember that complexity creates more surface area to protect and always prioritize simplicity in the solutions you deploy.
Don’t assume your email security gateway will stop every phishing attack. Build multiple lines of defense by training your team to recognize and safely report suspicious emails.
Don’t just run backups every night. Expect that products will fail and test the restore process on a regular schedule to ensure your most important data is protected.
Don’t rely on access control policies alone – run quarterly reviews to monitor and mitigate the drift between policies and practice before those over-privileged accounts become a liability.
Build Habits
Most importantly, don't ever stop. Start with your biggest vulnerabilities - those over-privileged accounts, that untested backup system - and address them first. Then keep layering in improvements. Add phishing training this quarter. Schedule those access reviews next month. Each change incrementally hardens your environment.
Train your people to recognize this reality: there is no finish line, no single purchase that solves the problem. Just the discipline of continuous, small improvements over time.
Like showing up at the trailhead every Sunday morning.
At Vibrant Technology, we help businesses build those habits - the operational rhythm that turns good tools into actual security. If you're ready to move past the purchase order and start building resilience, let's talk.
