Cybersecurity is facing a crisis, and it’s time we stopped avoiding it.
It doesn’t matter that adversaries are more aggressive and savvy, the way we’re talking about them is a bigger part of the problem, writes John Kindervag, Chief Evangelist at Illumio. We’ve clung onto the concept of “risk management” for too long now, a term couched around calculated probabilities and acceptable losses. It’s a reassuring framing that offers a sense of control. But it fosters complacency.
When it comes to defending against cyberattacks, probabilities don’t matter. Action does.
That’s why I propose we stop talking about “risk” and start talking about “danger.” Danger doesn’t wait for analysis or negotiation. It demands vigilance, readiness, and immediate action.
This isn’t just a case of semantics – it’s a shift in both mindset and strategy that we need to combat attackers who are more motivated and capable than ever.
A personal story behind danger management
My belief in the need to replace “risk” with “danger” stems from a very personal experience. We’ve all heard the action hero quip about “danger being my middle name.” Well in the case of my nephew, Stephen Danger Kent, it’s literally true. It’s a big name to live up to, and let me tell you he’s more than earned it.
When he was just four years old, he was diagnosed with neuroblastoma, a rare and aggressive childhood cancer. The odds of him even developing the disease were astronomical — roughly 1 in 22,000, or 0.0045%. His chances of survival were set at a bleak 2%.
For a year, Stephen endured relentless treatments: chemotherapy, radiation, and immunotherapy. His battle taught me a critical lesson: probabilities don’t matter when you’re facing a threat. You fight anyway.
But don’t worry, there’s good news here. Stephen survived against all odds. He’s 16 now, living proof that danger can be confronted and overcome. It was my wife’s words during this ordeal that formed my perspective: “God doesn’t believe in probabilities.” Danger is what matters in life, not abstract calculations of risk.
Even the most vicious cybercriminal will be hard-pressed to match something as terrible as childhood neuroblastoma. But still, we face attackers who are motivated, resourceful, and relentless. They don’t calculate probabilities, they act, and all too often, they win. It’s time we did the same. We must see the threats we face for what they are: imminent dangers that demand immediate, decisive action.
The flaws of risk management in cybersecurity
Now we’ve established why I think embracing the idea of danger is the way forward, let’s take a step back and look at why the word ‘risk’ isn’t cutting it in the cyber industry anymore.
I think ‘risk’ has become a crutch - a convenient way to soften the reality of our threats. It’s borrowed from industries like insurance, but risk management doesn’t work in our field. While insurers can count on actuarial tables and probabilities to predict outcomes with reasonable accuracy, cybersecurity isn’t like that.
Cyber threats are not abstract probabilities, they are imminent dangers driven by motivated attackers. Risk management asks us to accept, transfer, or mitigate risk, but these responses fail when faced with adversaries who operate with intent and unpredictability. The worst flaw of risk management is its implicit question: “How much are you willing to lose?”
In practice, though, risk management can end up incentivising inaction. We give up and just accept the risk and assume that suffering devastating cyberattacks are an unavoidable reality.
Mitigating risks costs money, so organisations may choose to accept them instead. This creates a culture where vulnerable technology and processes are allowed to persist if it seems cheaper than the potential breach.
Again, this is a very familiar mindset when it comes to insurance, where it’s often a perfectly reasonable way to manage costs. But the crucial difference in cyber is that risk management assumes the attacker will behave predictably. With a skilled and determined adversary, you can never be quite sure what tricks they will pull out in an attack, or how far they’ll push the result when they succeed in compromising the network.
If we want to protect our organisations, we must abandon the flawed logic of risk management and adopt a mindset that treats every threat as an immediate danger requiring immediate action.
Why danger management is the future
One of my go-to examples of danger management in action is military preparedness, where success depends on timeliness, discipline, and persistence. In cybersecurity, we face adversaries who don’t wait for our risk assessments. They often act with precision and intent. Treating cyber threats as dangers changes how we respond - with the speed and decisiveness needed to confront imminent threats.
A Zero Trust strategy is one of the most effective ways of putting danger management into practice. As I’ve been touting for more than a decade after creating the concept, Zero Trust operates on the assumption that every interaction could be compromised. There is no probability of risk guiding action – it’s a Schrodinger’s cat problem. At any moment the probability of attack is both 0 and 100%. Vigilance is key.
I recently spoke with a board member of a company who served on its risk committee. In the yearly update from the CIO, the board was told that their risk of suffering a material attack was low. When asked what they had done to reduce this risk over the past year he replied “nothing.” The board member then inquired how he could make such a statement, to which the CIO replied that their risk was reduced “because our cyber insurance premium went down.” Astounding.
Moving to danger management is more than doing a quick CTRL+F on all the policy documents. It’s a cultural and operational shift. By treating cyber threats as dangers, we create a sense of urgency that the higher decision-making levels of the industry often lack - and that’s the only way to keep pace with increasingly sophisticated and determined attackers.
