My Christmas Security Wishlist
At least 5 things I want to change in the next 5 years
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
I decided to try something new this week and offer a more “holiday-themed” post. I’ve been vocal about my frustrations with the current state of the cybersecurity community—its inertia and reluctance to change. With the rapid emergence of AI fundamentally altering the threat landscape, the industry is increasingly unwilling to accept, confront, and adapt to these new realities.
As I’ve argued in the past:
This week, let’s look forward. Here is my Christmas wishlist for the cybersecurity community, directly addressing what needs to change for us to regain effectiveness.
Wish 1: We finally get rid of outdated security practices.
Security’s core function is managing and mitigating risk. We now have better access to large amounts of data to evaluate that risk, which means our guidance should be constantly refined against changing data and new threat landscapes.
Two practices immediately jump to mind for elimination:
Mandatory 90-Day Password Rotation: This is an obsolete compliance requirement and an annoyance that breeds poor user hygiene. Most people simply append a number or a simple change to their current password, defeating the purpose. While rotating machine secrets (like database passwords and service account keys accessed by multiple people) remains critical, forced human rotation is counterproductive.
Security Questions: They fundamentally fail. Designed to be easy to remember for the user, they are now dangerously easy to guess, given the wealth of personal information available online via social media. There are much better, more resilient ways to verify identity, especially with the increased use of robust password managers and stronger authentication methods.
The modern practice should be simple: use a password manager and enable multi-factor authentication (MFA) everywhere.
Wish 2: Get rid of security awareness training.
This is another painful, low-ROI compliance requirement. The data is mixed on whether these generic, mandatory, annual trainings are actually effective. Employees usually play the training in the background or try to click through it as fast as possible. This format delivers information without providing regular, practical experience, resulting in employees who don’t know what to do in specific scenarios. At larger organizations, enforcing this training wastes significant operational effort for little clear return on investment (ROI). Specialized training, like developer security training, is often even worse.
I would rather see investment shifted to regular, targeted engagement like realistic phishing simulations. More importantly, we should focus on continuous monitoring and implementing guardrails that automatically change user behavior and prevent errors, rather than relying on the hope that someone paid attention to a video months ago.
Wish 3: Security builds again.
I don’t want more security tools; I want security teams to actually go and solve problems rather than being risk pushers. Somewhere along the way, security leaders decided their value was simply program managing risk rather than actively mitigating it. They became advisors with “solutions” but lacked the ownership or technical capability to implement them. This detachment is the root cause of the industry’s effectiveness problem.
Security must adopt a more hands-on, engineering-focused approach. While I don’t believe security should own all risk, it must take ownership for a substantial part of the risk reduction effort. Spending time and money to merely surface risk, which then remains unmitigated, is not helpful for the business. As a result, security needs to build again and work toward being a direct part of the solution, rather than just surfacing problems. This shift requires technical leaders and a willingness to contribute directly to the code base. Jonathan Price states this well in his LinkedIn post:
Wish 4: More security tool consolidation.
Related to the previous wish, let’s have fewer security tools. As I’ve argued, most security tools are too theoretical and often solve marketing problems rather than actual technical ones.
It’s often unclear what the ROI of these point tools is. They primarily create more alerts and surface more risk without a meaningful, actionable solution for mitigation. We waste time cutting through alert noise and managing complex tools that rarely work out of the box and require lengthy Proofs of Concept (PoCs). This enterprise sales motion is broken and mismatched for the speed of the cloud and AI world.
My hope is that we invest more into unified platforms—and ideally, AI platforms—that are intuitive and allow security teams to solve problems on one surface, rather than buying dozens of point solutions. We are already seeing this consolidation trend with increased mergers and acquisitions (M&A). Too much competition in point-solution markets is actually bad for overall customer value, so I’m hoping the market adjusts itself naturally toward fewer, deeper solutions.
Wish 5: Security becomes more focused and enabling.
This is a broad wish about culture and strategy. Security spends too much time complaining about problems in general, rather than having constructive conversations that enable the business.
Let’s take AI as the primary example. The technology is here to stay and will gain wider and wider adoption. Instead of generating FUD (Fear, Uncertainty, and Doubt) about all the potential problems of AI, which implies that we shouldn’t use it, we should be having conversations about how to use it safely and efficiently. With any new technology, new challenges will emerge. It is the job of security to focus on solving those challenges rather than advocating for restricted usage. This is the difference between being a roadblock and being an enabler, as I discussed regarding how to be a security person that engineers don’t hate.
Another area for focused change is compliance. Security compliance must become more aligned with genuine security risk. Right now, our frameworks are often full of checkboxes that are time-consuming to meet, but which barely reduce actual risk. We are expending limited security resources and talent on proving we passed outdated certifications rather than solving tangible security problems.
Final Thoughts: The choice to adapt
These are some of my wishes for the industry as we head into the new year. I know some changes might take a long time, but others, driven by market consolidation and technological necessity, will happen faster.
The fundamental challenge is that security has been too set in its ways. We have operated as an operational, auditing function for too long, relying on processes and leverage dynamics that are relics of the pre-cloud, pre-agile, and certainly pre-AI world.
We are seeing a new class of technical security leaders emerge, i.e., people who understand that to manage risk in a modern software-driven business, they must understand software engineering and business context deeply. This shift in leadership is what will truly drive the change demanded in this wishlist.
The market is already applying pressure:
Security budgets are under scrutiny: Executives are demanding measurable ROI and efficiency gains. They will not continue to write blank checks for theoretical risk reduction.
Vendor consolidation is inevitable: The plethora of point tools—many of which are effectively solving organizational problems with technical solutions that don’t fit the actual workflow—will not survive. The focus is moving to platforms that can provide end-to-end context and automation.
Trust replaces FUD: Security must learn to build trust both internally with engineering teams and externally with customers by delivering effective, transparent operations and communicating clearly during incidents. We need to embrace a philosophy where a security incident is seen not as a failure of the initial security control, but as an opportunity to demonstrate world-class detection, response, and transparent communication.
The choices are clear: embrace the necessary shift to a technical, efficiency-focused, and collaborative function, or continue to fade into irrelevance as businesses build and move around an outdated gatekeeper. It’s time for security to accept the new reality and adapt to win.