Stop Doing Everything, Start Doing What Matters

The sharpest security people I know keep saying a version of the same thing, and it has never sounded flashy and it has always sounded right.

Look at your industry and how attackers actually go after organizations like yours. Take their top techniques and get really good at stopping those. Everything else is just the basics: hire people who come out of incidents stronger, continuously test your controls, set alerts that matter instead of creating noise.

Security is not about doing everything. It is about doing the right things well.

What This Means for the CIO, CTO, and CISO

Focus on your industry's actual attack patterns, not theoretical comprehensive security. The techniques that hit your peers are the techniques that will hit you. Get really good at stopping those.

Consultants bring domain expertise. Your team brings tribal knowledge. The ideal engagement combines both: consultants who know the threat landscape, your team who knows the crown jewels and political landmines.

Most consultants are bad at the basics. They focus on easy-to-bill, flashy projects that are treatment, never cure. An ounce of cure is worth a pound of treatment. Demand consultants who fix root causes.

The Inside Perspective

When I ran security teams, the most valuable people were not the ones who knew the most frameworks or had the longest certification lists.

They were the people who understood our specific threat model. Who knew which attacks actually happened to organizations like ours. Who could look at our architecture and say here is where you are exposed to the attacks that matter.

I have sat through too many security assessments that checked every box in a compliance framework while missing the obvious: we were vulnerable to the exact attacks that were hitting our industry that quarter.

The consultants would deliver comprehensive reports covering hundreds of controls. Meanwhile, the ransomware groups hitting our competitors were getting in through three specific vectors that were not even on the assessment.

The best security person I ever worked with would start every conversation with a question. What are the bad guys actually doing to organizations like us right now? Then: are we good at stopping that? If not, that is the priority.

Not sexy. Not comprehensive. But we avoided incidents our peers did not.

The Outside Observation

The security industry is bad at the basics.

Consultants are especially bad. They focus on what is easy to bill for. What is splashy. What creates ongoing engagements rather than actually fixing problems.

An ounce of cure is worth a pound of treatment. Most consulting engagements are pure treatment. They create dependency, not capability.

I watch consultants sell comprehensive security programs that cover everything and protect nothing. They deliver reports that check compliance boxes but do not address the actual threats the organization faces.

The pattern is consistent:

• Six-month assessment covering 200 controls.
• Detailed findings report with 150 recommendations.
• Prioritized remediation roadmap spanning three years.
• Ongoing monitoring engagement to maintain posture.

Meanwhile, the three attack vectors actually being used against that industry are not addressed because they do not map cleanly to the framework being assessed against.

This is not malicious. It is structural. Consultants get paid for comprehensive. Comprehensive does not mean effective.

The Uncomfortable Truth

Security is not about doing everything. It is about doing the right things well.

What most organizations do:

• Try to address every control in every framework.
• Spread resources across 200 findings equally.
• Focus on compliance checkbox completion.
• Implement tools that cover maximum theoretical attack surface.
• Measure by controls implemented, not threats stopped.
• Result: comprehensive on paper, vulnerable in practice.

What actually works:

• Identify the top five techniques used against your industry.
• Focus resources on stopping those specific attacks.
• Prioritize by actual threat, not framework coverage.
• Implement controls that stop known attack patterns.
• Measure by incidents avoided, not checkboxes completed.
• Result: gaps on paper, resilient in practice.

The organization that stops the attacks that matter beats the organization that checks all the boxes every time.

The Consultant Problem

Most consultants are optimized for billing, not outcomes. The business model explains why.

A comprehensive assessment means more findings, which means more billable work. Complex solutions mean more implementation hours. Ongoing maintenance is treatment instead of cure, which means recurring revenue. Dependency means the client cannot operate without the consultant, which means permanent engagement.

The incentives follow the model. Consultants who actually fix problems work themselves out of a job. Consultants who create dependency have long-term revenue streams. Simple solutions that build internal capability do not generate fees. Complex solutions that require ongoing support do.

This is not about individual consultants being bad people. It is about a business model that rewards treatment over cure.

The Shared Responsibility Model That Actually Works

There is a better way. It requires clarity about what consultants bring versus what your team brings.

What consultants bring is domain expertise: deep experience across multiple organizations in your industry, knowledge of the threat landscape and current attack trends, technical depth in specific security domains, the ability to pattern-match against what they have seen elsewhere, and access to intelligence on the techniques currently being used.

What your team brings is tribal knowledge: understanding of how your business actually operates, knowledge of crown jewels and critical assets, awareness of political landmines and organizational dynamics, context on why things are the way they are, the relationships needed to actually get things done, and institutional memory of past decisions and their outcomes.

The ideal collaboration combines them. Consultants identify threats relevant to your specific organization. Your team provides context on business impact and feasibility. Together you prioritize based on actual risk, not theoretical completeness. Consultants provide implementation guidance and technical depth. Your team ensures solutions fit organizational reality. The outcome is internal capability built, not dependency created.

The good version sounds like this. The consultant says ransomware groups targeting your industry use these three entry vectors. The internal team says here is which of those we are exposed to and which crown jewels they would reach. Together that is a focused remediation plan. The bad version is the consultant handing over 200 findings from a framework assessment and the internal team trying to address all 200 equally. That is comprehensive failure.

What Doing the Basics Actually Means

Let's be specific about what the basics are, because doing the basics sounds simple but most organizations get it wrong.

Hire people who get stronger in incidents. Not based on certifications and resume keywords. Hire for curiosity, resilience, and judgment under pressure. Look for people who learn from failure. Ask them to tell you about an incident they handled badly and what they learned. The people who cannot answer that question well are not the people you want in your SOC when things go bad. Build teams that get better through experience, not just training.

Continuously test controls and behavior. Not an annual penetration test and call it done. Regular testing of specific controls against the techniques that target your industry. Test both technology and human response. Run tabletop exercises for incident response. Measure whether your controls actually stop the attacks that matter. Iterate based on what you learn. Testing that does not change anything is just theater.

Set alerts that matter. Not alert on everything and drown in noise. Alert on indicators of the attacks you are actually likely to face. Tune continuously based on false positive rates. Prioritize alerts your SOC can actually investigate. Test whether your alerts would catch the patterns from known incidents in your industry. An alert you ignore is worse than no alert. It trains your team that alerts do not matter.

These sound simple. They are not. Most organizations fail at all three. The ones that get them right avoid incidents their peers do not.

How to Evaluate Consultant Engagements

Use this test to evaluate whether an engagement will build capability or create dependency. Ask these questions explicitly in the proposal phase.

1. Does the engagement start with your industry's actual threat landscape? If no, that is a red flag. A cookie-cutter approach will not address your real risks.
2. Does the consultant ask about your crown jewels and critical assets? If no, they will assess everything equally instead of focusing on what matters.
3. Is the deliverable focused on specific high-priority fixes or comprehensive coverage? If comprehensive, that is a warning. It likely creates an overwhelming backlog you cannot prioritize.
4. Does the proposal include knowledge transfer to build internal capability? If no, that is a dependency model. You will need them forever.
5. Can the consultant explain the root cause they are fixing versus the symptoms they are treating? If no, that is treatment, not cure.

Zero to one yes means do not engage. This is billing theater. Two to three yes means proceed with caution and set clear outcomes. Four to five yes means a good engagement that is likely to add value. Consultants who get defensive about outcome-focused questions are not consultants you want.

The Crown Jewels Conversation

Every organization has crown jewels. Most security programs do not know what they are.

Business crown jewels are what makes you money: your competitive advantage, IP that differentiates you, customer data that enables operations, systems that directly generate revenue. The question is whether the business would fail if you lost this.

Operational crown jewels keep operations running: infrastructure that enables business functions, data needed for core processes, access to critical third parties. The question is how long until business impact if you lost this.

Reputational crown jewels are data that would damage reputation if compromised: systems that affect customer trust, information that would be embarrassing if leaked, compliance-sensitive data. The question is whether customers would leave if this leaked.

Political landmines are systems that are technically wrong but politically untouchable: decisions made by executives that cannot be questioned, vendor relationships with political protection, projects that failed but nobody admits it. The question is whether trying to fix this will get you fired.

Your team knows the answers to these questions. Consultants do not. This is the tribal knowledge that makes security programs actually work. Good consultants ask these questions and listen to the answers. Bad consultants ignore organizational reality and wonder why their recommendations never get implemented.

You cannot protect everything equally. Trying to do so means you protect nothing well. Identify the crown jewels in each category, map the attack paths to reach them, focus security on those paths, and accept gaps elsewhere.

Signs Your Security Program Is Doing Everything Wrong

Use this diagnostic. Zero to two items means some misdirection. Three to five means serious problems. Six or more means complete security theater.

• Your security roadmap is driven by framework compliance, not threat intelligence. You are optimizing for audits, not for avoiding incidents.
• You cannot name the top three techniques targeting your industry right now. If you do not know the threat, you cannot prioritize defense.
• Your consultant relationships are multi-year partnerships with no defined outcomes. You have bought dependency, not capability.
• Your SOC is drowning in alerts and missing real incidents. The signal-to-noise ratio is broken.
• Security decisions are made in consultant reports, not by people who understand the business. Security without business context is just compliance theater.
• You measure success by controls implemented, not incidents avoided. You are measuring activity, not outcomes.
• Your team cannot explain which crown jewels are protected and which are not. If you do not know what matters, you cannot prioritize protection.
• When incidents happen, you discover gaps that were not on the roadmap. Your roadmap is not based on actual threats.

What I'd Tell My Former Self

Looking back at the security programs I ran:

Start every planning cycle with a single question. What are the bad guys doing to organizations like us right now? Not what is in the framework. Not what is comprehensive. What is actually being used against us.

Cut consultant engagements that create dependency. Pay consultants to build my team's capability, not to become permanent fixtures.

Know the crown jewels cold. If my team cannot explain what we are protecting and why, we are not doing security. We are doing compliance theater.

Hire for judgment, not credentials. The person with ten certifications who panics in incidents is worse than the person with one who keeps their head.

Measure by incidents avoided, not controls implemented. Activity is not the same as outcomes.

The 2026 Prediction

Organizations that focus on comprehensive security over targeted security will continue experiencing incidents their more focused peers avoid.

The comprehensive organizations will have beautiful compliance postures. They will pass audits. They will have consultant reports showing 95% control coverage. They will still get hit by the basic attacks that work against their industry, because those attacks were not prioritized on the three-year remediation roadmap.

The pattern plays out predictably. The comprehensive path spends 2024 and 2025 on a multi-year, framework-based transformation, then in 2026 takes a ransomware incident via the exact technique that has been hitting the industry for 18 months. The post-incident finding is that the attack vector was item number 147 on the remediation roadmap, and the board asks why the program was not focused on actual threats. The focused path spends those same years identifying the top techniques targeting the industry, hardening against those specific attacks, and testing controls against known patterns, accepting some framework gaps as lower priority. In 2026 it avoids the incidents its peers experience.

The organization that stops the attacks that matter beats the organization that checks all the boxes. Every time.

The Playbook for Focused Security

Five steps to shift from comprehensive to effective.

1. Identify your industry's top techniques. Not theoretical threats. What is actually being used against organizations like yours right now. Talk to peers who have been hit. Read incident reports from your industry. Know the threat before you design the defense.
2. Map attack paths to your crown jewels. How would those techniques reach what actually matters in your organization? Do not protect everything equally. Focus on the paths that lead to crown jewels.
3. Test controls against known patterns. Do not assume your controls work. Test them specifically against the attack patterns you are trying to stop. Include both technical controls and human response.
4. Hire and empower people who understand the threat. Build capability in your team. Use consultants for domain expertise and specific technical depth, not as permanent dependencies. Transfer knowledge, do not outsource thinking.
5. Measure by incidents avoided, not checkboxes. Track whether you are stopping the attacks that matter. Compliance coverage is important for regulatory reasons but secondary to actual security outcomes.

The Bottom Line

Stop trying to do everything. Start doing what matters.

Know your industry's threat landscape cold. Use consultants for domain expertise, but combine their expertise with your team's tribal knowledge about crown jewels, business operations, and political landmines. Build capability, do not buy dependency. The consultant who makes you smarter is worth their fee. The consultant who makes you dependent is not. Measure by outcomes, not activity.

The best security programs are not comprehensive. They are focused. They know what matters and protect it well. They accept gaps in areas that do not matter as much. The organization that stops the attacks that matter beats the organization that checks all the boxes. Every time.