Cybersecurity’s Quiet Reckoning

Why Controls Fail When Trust Replaces Verification

“AI-generated cybersecurity operations center image.” Created by ChatGPT (OpenAI DALL·E), 2026.

Cybersecurity, once treated as a cost center buried beneath IT, has become a defining variable in enterprise value.

Yet despite record spending—global cybersecurity outlays are projected to exceed $215 billion in 2024 according to Gartner—breaches continue to compound in scale, frequency, and cost. The issue is no longer awareness. It is execution.

IBM’s 2024 Cost of a Data Breach Report puts the average breach at $4.45 million globally, the highest on record, with U.S. firms facing even steeper losses. But averages obscure what markets actually punish: operational breakdowns, governance failures, and the erosion of trust. When breaches occur, they rarely stem from a single point of failure.

They emerge from systems that were designed to be compliant—but not resilient.

Multinational firms have responded with aggressive investment cycles. Microsoft, for instance, committed over $20 billion to cybersecurity over five years, embedding security across its cloud stack and enterprise offerings.

JPMorgan Chase reportedly spends more than $600 million annually on cybersecurity, employing thousands of engineers dedicated to defending its infrastructure. These are not defensive budgets; they are strategic reallocations acknowledging that cyber risk is now financial risk.

Yet scale alone has not solved the problem.

The 2017 Equifax breach, which exposed the personal data of 147 million Americans, was ultimately traced to an unpatched vulnerability—arguably the most basic failure mode in cybersecurity. The fallout included over $1.4 billion in settlements and a long-term reputational discount.

Similarly, the 2020 SolarWinds attack demonstrated how deeply supply chain vulnerabilities can penetrate even the most sophisticated organizations, impacting government agencies and Fortune 500 companies alike.

More recently, the 2023 MOVEit breach exploited third-party software to compromise hundreds of organizations, reinforcing that perimeter security is no longer a sufficient defense.

What these incidents reveal is not a lack of tools, but a misalignment between responsibility and verification.

Kyle Marks, CEO of Retire-IT, frames the issue with unusual precision: “For founders and CEOs, the biggest risk in off-boarding isn’t whether devices are collected or wiped. It’s whether there’s proof of what actually happened to them. No vendor can protect an asset it never receives.

Most organizations rely on internal checklists and vendor documentation, which are fundamentally trust-based. Best practice is to separate responsibility from verification and independently reconcile what was expected to transfer with what was actually received.

No one should be grading their own work. Otherwise, you don’t have a control. You have documentation. Certification shows a vendor meets a standard. Verification shows what actually happened. In ITAD, most organizations have the former. Very few have the latter.”

This distinction—between certification and verification—is where many firms quietly fail. Compliance frameworks like ISO 27001 or SOC 2 provide necessary baselines, but they are not substitutes for operational truth. As Bruce Schneier, a widely cited security expert and Harvard fellow, has noted, “Security is a process, not a product.”

The implication is clear: controls that cannot be independently validated are, in practice, assumptions.

Financial institutions have begun internalizing this. Goldman Sachs and Morgan Stanley have increasingly emphasized zero-trust architectures, where no user or device is inherently trusted, even within the network perimeter.

The National Institute of Standards and Technology (NIST) formalized this approach in its Zero Trust Architecture guidance, arguing that “implicit trust in any one element…is a vulnerability” (NIST SP 800-207). In practice, this means continuous authentication, granular access controls, and constant monitoring rather than periodic audits.

As James Oliverio, Founder & CEO of ideaBOX, observes, the shift requires a more fundamental reframing of how organizations define control: “The firms that get this right stop thinking about cybersecurity as a perimeter and start thinking about it as a discipline.

That means zero-trust access, encryption by default, rigorous third-party and vendor risk management, and treating every employee as part of the defense, because attackers no longer break in; they log in. Resilience comes from assuming compromise is inevitable and rehearsing your response before you need it.” Oliverio’s framing reinforces that architecture alone is insufficient without organizational alignment.

Oliverio’s emphasis on discipline over perimeter also underscores a broader reality: security failures increasingly stem from gaps in execution rather than gaps in tooling.

Large technology firms are moving in parallel. Google’s BeyondCorp initiative effectively eliminated the traditional corporate VPN by shifting to identity-based access controls, a model now widely emulated.

Amazon Web Services has embedded automated threat detection and response into its cloud infrastructure, reducing reliance on manual intervention. These systems are not designed to prevent every breach—they are designed to limit blast radius when breaches occur.

The academic consensus reinforces this shift. Researchers at MIT Sloan have argued that “cybersecurity resilience depends less on preventing intrusions and more on detecting and responding to them rapidly” (MIT Sloan Cybersecurity Initiative).

Similarly, the World Economic Forum has highlighted that over 95% of cybersecurity issues can be traced to human error, underscoring that governance and process design are as critical as technology investment.

Where firms continue to struggle is in transitional moments—offboarding employees, decommissioning assets, integrating acquisitions—where systems are least standardized and oversight is fragmented. These are precisely the environments where verification breaks down and attackers exploit ambiguity.

The path forward is not conceptual. It is operational.

First, firms must decouple execution from validation. Independent reconciliation—whether in asset disposition, access revocation, or data transfer—should be standard practice.

Second, cybersecurity must be treated as a continuous control environment, not a periodic audit function. Third, supply chain risk must be elevated to the same level as internal risk, with third-party verification protocols that extend beyond contractual assurances.

There is a tendency to frame cybersecurity as an arms race between attackers and defenders. That framing misses the more structural issue: most breaches are not the result of superior adversaries, but of unverified assumptions embedded in complex systems.

As Warren Buffett has observed in a different context, “Risk comes from not knowing what you’re doing.” In cybersecurity, that ignorance is rarely total. It is incremental—small gaps in verification, overlooked dependencies, untested controls—that compound into systemic failure.

The market has begun to price this reality in. Firms that demonstrate not just compliance, but verifiable control integrity, are increasingly differentiated. In a landscape where trust is both the asset and the liability, documentation is no longer enough.

Proof is the product.

Citations

Gartner. “Gartner Forecasts Worldwide Security and Risk Management Spending to Grow 14% in 2024.” Gartner, 28 Aug. 2023, https://www.gartner.com/en/newsroom/press-releases/2023-08-28-gartner-forecasts-worldwide-security-and-risk-management-spending-to-grow-14-percent-in-2024.

IBM Security. Cost of a Data Breach Report 2024. IBM, 2024, https://www.ibm.com/reports/data-breach.

Federal Trade Commission. “Equifax Data Breach Settlement.” FTC, https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement.

Cybersecurity and Infrastructure Security Agency (CISA). “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.” CISA, 17 Dec. 2020, https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a.

Progress Software Corporation. “MOVEit Transfer and MOVEit Cloud Vulnerability.” Progress, 2023, https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability.

National Institute of Standards and Technology. Zero Trust Architecture. NIST Special Publication 800-207, U.S. Department of Commerce, 2020, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf.

Massachusetts Institute of Technology, Sloan School of Management.

“Cybersecurity.” MIT Sloan, https://mitsloan.mit.edu/ideas-made-to-matter/cybersecurity.

World Economic Forum. Global Cybersecurity Outlook 2023. World Economic Forum, 2023, https://www.weforum.org/reports/global-cybersecurity-outlook-2023/.

Microsoft. “Microsoft Will Invest $20 Billion to Advance Security Solutions.” Microsoft On the Issues, 14 Oct. 2021, https://blogs.microsoft.com/on-the-issues/2021/10/14/microsoft-cybersecurity-investment/.

Financial Times. “JPMorgan Spends Heavily on Cybersecurity.” Financial Times, https://www.ft.com/content/0c0f6f36-9b4f-11e5-9228-87e603d47bdc.

Schneier, Bruce. Schneier on Security. https://www.schneier.com.

Buffett, Warren. Berkshire Hathaway Inc. https://www.berkshirehathaway.com.