Several weeks ago, I got into a debate with a good friend of mine. He started by saying that security is a very exciting space with so many things changing every day. But the longer we talked, the more we started agreeing that when done well, cybersecurity is incredibly boring. In this piece, I am going to explain why that is.

This issue is brought to you by... Varonis.

83% of organizations use AI. Only 13% know what it touches.

Shadow AI isn’t a future problem. Your teams are deploying agents, copilots, and custom LLMs outside of IT’s view.

Each one is a potential path to your most sensitive data that most security tools can’t see. Point solutions that monitor prompts or flag known tools don’t cut it when you can’t inventory what you have.

Varonis Atlas continuously discovers every AI system across your environment, sanctioned or not, and enforces real controls over what those systems can access and do. Because you can’t secure what you can’t see.

Book a demo and see what Atlas finds in yours.

Book a demo

A healthy lifestyle is really boring

I like metaphors, so let’s talk about fitness before we go back to cyber.

If you lift weights, you know that despite all the hacks, supplements, TikTok advice, or whatever people are spending their time on these days, building muscle really comes down to two things: progressive overload and repetition and volume. In simple words, you are either increasing the weight over time, which will help you become stronger, or putting muscles under enough stress that they break down and rebuild stronger and bigger.

There are all kinds of other types of workouts, techniques, skills people can focus on (endurance, flexibility, etc.), but building muscles comes down to these two. I am by no means a fitness trainer and definitely don’t mean any of this as any kind of advice, but I would go even further and say that people can get most of the results from some six or seven exercises, like squats, deadlifts, bench press, pull-ups, overhead press, and one or two more. That’s it. The actual results come down to doing these things progressively and repeatedly - for a year, two, five, ten… In fact, unless you work out for six months or a year, you won’t even see much in terms of results. Most of us can’t do anything this long without instant gratification, which is partly why 99% of the people who signed up for the gym on January 1st have quit it by now. Saying this will get a few unsubscribes, but please don’t take it personally, my friend, just using this as an argument to illustrate a point (for what it’s worth, I was paying for the gym for like 3 years before I actually started going).

Many people think the “big bad fitness industry doesn’t want people to be healthy,” but realistically, the information about what works has been out there forever. Most people just struggle to do the boring things consistently.

In general, healthy living is boring. Working out, going to bed on time, eating vegetables, walking more, drinking less, sleeping enough, pretty much all the things we should do to stay healthy are really boring. The funny part is that they actually work (in fact, they’re basically the only things that work), but we don’t like boring, so we don’t do that.

Cybersecurity is really boring

This brings us all the way back to cyber. There is not going to be any unexpected twists and turns because that’s just what it is: cybersecurity is really boring.

I didn’t do the survey to ask security engineers how exactly they spend their time, so I can’t claim that this is some kind of well-documented research, but I am pretty sure if I did do that, I would find that most of the security team’s time is spent doing stuff like:

• Doing the half a dozen boring things that do most of the heavy lifting, and hopefully getting enough buy-in and having enough discipline to do them well

• Preparing for meetings, sitting in meetings, sending updates after meetings, and planning follow-up meetings

• Trying to get people to actually fix things that can screw up the organization big time instead of just “accepting the risk”

• Running POCs of security tools, and dealing with vendors who overpromise and don’t deliver half of what they promised

• …

Basically, if security vendors actually listened to customers, their taglines wouldn’t all sound like everyone is just trying to stop China from stealing their corporate secrets. These things happen (and it’s really bad when they do), but statistically, an average company is more likely to get breached because an employee clicks on a phishing link, not because of some sophisticated zero-day.

Cybersecurity is only boring when it’s done well

Here’s the key point: cybersecurity is only boring when it’s done well. Remember, boring is good. To stay healthy, you have to consistently eat decent food, sleep enough, walk, and regularly exercise. Security also comes from doing the same fundamental things over and over again. There’s nothing exciting about understanding asset inventory, patching systems, enforcing MFA, cleaning up access, segmenting networks, reviewing configurations, or monitoring changes. But, these are exactly the things that prevent breaches.

In cyber, we love novelty. Every year, there’s a new wave of tech, a new category, and a new promise that “this time security will become easy”. Meanwhile, most breaches still come back to the same problems we’ve known about for years: excessive access, poor visibility, weak segmentation, lack of monitoring, unmanaged assets, and operational complexity. The fundamentals haven’t changed nearly as much as people would like to believe. Last week, I wrote an article about this - that What works against Mythos today is what worked against ransomware 5 years ago, and malware 10-15 years ago. I am pretty sure five years from now it will still be relevant.

Just like you don’t need 200 different exercises to build muscle, companies don’t need 200 disconnected tools to improve their security. Sadly, 5 tools won’t do here, but I am sure most security leaders will agree that a relatively small number of disciplined, well-executed initiatives can get the company 90-95% of the way there. The hard part is sticking with doing these basics consistently, even when there’s not much excitement about them.

Again and again, effective security comes down to blocking and tackling, or the essentials like checking logs, keeping systems patched and up to date, reviewing changes, evangelizing about security, etc. The 1-5% of the job requires people to go beyond the basics, but if they happen to spend too much time on that, they’re doomed.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If your company is interested in sponsoring Venture in Security, check out Sponsorships.

Lastly, check out the Inside the Network podcast where we bring you the best founders, operators, and investors building the future of cybersecurity.