Straight talk on security — what's actually broken, why, and how to fix it. Written from inside the problem, not from a vendor's perspective.
The security talent shortage is real — but a lot of it is self-inflicted. Companies require certifications that don't predict whether someone can actually do the job. They filter on specific tool names instead of problem-solving ability. They confuse experience with acronyms for experience with real environments. The result: roles open for six months, qualified people filtered out in round one, and organizations left without the help they need.
Read the full piece →Buying a Zero Trust product and building a Zero Trust security posture are two very different things. Most organizations have the former and assume it means the latter. Meanwhile, the gap between what the vendor dashboard shows and what the environment is actually doing is exactly where attackers find their way through.
The most common answer is that the tool was configured the way the vendor manual says to configure it — not the way your team actually works. When the secure path is slower than the insecure workaround, people use the workaround. Every time. The program fails not because the tool is bad, but because nobody accounted for how the team operates under pressure.
Zero Trust sounds great until you realize your system thinks a former employee from two years ago is still active — and your current security policies are enforcing access decisions based on that. Clean, accurate identity data isn't optional groundwork for Zero Trust. It's the foundation everything else depends on.
A chaotic onboarding process and a security risk from a former employee's access both trace back to the same root cause: no clear, automated system for knowing exactly what access each role needs and making sure that access is granted — and removed — at the right times. It looks like an HR problem. It's actually an identity governance problem.
Because nobody owns the renewal process. The certificate expiration date was known for months — it's on a fixed schedule. But ownership is scattered across teams, documentation is out of date, and nobody has a system that catches it before it becomes an outage. The technical fix is simple. The organizational fix is where most teams get stuck.
Most organizations have a long list of security gaps and a limited budget. The programs that succeed sequence work to get visible, measurable wins early — reducing real risk and building internal confidence — while the longer-term foundation is being built. The programs that fail try to do everything at once and stall out without showing anything for it.
Organizations that treat compliance monitoring as something to prepare for — rather than something that runs continuously — always face the same problem: the auditors arrive and the evidence needs to be assembled from scratch. The organizations that sail through assessments have systems that generate that evidence automatically as part of normal operations. One is a fire drill. The other is just operations.
A lot of security problems that look complicated have a clear path through them once you've seen similar situations before. If something you read here sounds familiar, let's talk about it.