Why security has become easier
A follow-up
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
A year ago, I wrote about why security is easy, which generated a fair bit of conversation. It challenged the notion that security is inherently more difficult than other engineering disciplines and argued that many security challenges stem from poor execution, not intrinsic complexity.
A couple of weeks ago, I wrote a follow-up to my article about why security is still hard and getting harder, following up on my previous article about why security is hard. In that newsletter, I briefly mentioned that some aspects of security have gotten easier, but mostly focused on why it’s getting harder.
However, I do think security has become easier in many ways. Since I wrote my first set of posts, a lot has changed, especially with the acceleration of AI and the growing maturity of security teams across tech. So I thought it was worth revisiting the topic with a new lens: not just why security isn’t hard, but why it’s gotten easier in meaningful ways.
Security is easier because the ecosystem has matured
Five to ten years ago, a typical security team had to do a lot from scratch, building workflows, writing detections, deploying infrastructure, and educating the company all at once. Now, many of those foundations are available out of the box.
Managed services, cloud-native security defaults, and mature vendor platforms have all leveled the playing field. You no longer need to build your own alerting pipeline or convince your company to do SSO. These are defaults, not battles.
For example, a security team no longer has to choose between building out their own SIEM with a detection and response team and working with an MSSP, which has a spectrum of quality. A security team can buy Expel or Arctic Wolf to kick off the basics of their detection and response program. Similarly, it’s likely an engineering team is already using Datadog, so a security team can start with Datadog SIEM to do some basic detections in a low-friction way. This is similar to how a startup no longer has to buy its own hardware and set up its own servers. Instead, it can use AWS and some SaaS tools.
There’s still complexity, of course. But the scaffolding to do security well is much more available, and it lets teams focus energy on what actually matters.
AI gives security teams leverage if they use it right
AI has been a huge source of fear for security, and for good reason. It creates new risks and expands the attack surface. But it also reduces a lot of the friction in doing security work.
Tasks like log parsing, rule writing, ticket triage, and documentation can now be accelerated with basic LLM tooling. Even generating starter policies or scripting alert logic is easier when tools like GitHub Copilot or GPT-4 are in the mix.
The key is that security teams need to actually use these tools themselves. I’ve seen teams go from manually tuning detection rules in YAML to prompting an LLM for a starter query and spending their time validating instead of drafting from scratch.
For instance, a less technical security team can use AI to better parse and understand code. Similarly, it can help with a lot of operational tasks, like building scripts to gather evidence for compliance tasks rather than doing them manually.
Of course, this doesn’t replace expertise. But it augments it, and in a world where security headcount is tight, that’s meaningful leverage.
Breach data is better and is finally being used
In the past, it was hard to tell which risks mattered most because so few companies shared real incident data. Now, between public breach disclosures, legal filings, incident reports, and industry research like the Verizon DBIR, security teams have clearer visibility into what actually causes damage.
This has shifted conversations away from abstract risk and toward real-world prioritization. We know credentials are the root cause of most breaches. We know phishing-resistant MFA, session management, and proper offboarding are cheap wins. We know which attack paths lead to material impact and which don’t.
You no longer need a PhD in threat modeling or multiple years of experience in a high-risk environment to make good calls. You just need to align your program with the data. That makes security more accessible and more defensible in front of stakeholders.
Tools have improved or at least stabilized
Yes, the cybersecurity market is bloated. Yes, there are too many vendors solving the same problem. But underneath all the noise, a handful of categories have matured to the point that implementation is no longer painful.
EDR, cloud posture management, vulnerability scanning — these are all relatively turnkey now. You can instrument a baseline posture in days or weeks, not quarters. Platforms like Wiz, CrowdStrike, and Orca make it possible to cover a lot of ground quickly without needing massive teams.
You still need to evaluate tools carefully, and many aren’t worth it. But the floor is much higher. The default tool experience is better than it used to be.
A while back, it sometimes took a few months to set up an email security gateway to scan for phishing and malicious emails. However, many of these security capabilities are built into existing email vendors themselves. If a company needs additional protection, it only takes a few minutes to set up a tool like Material Security, and you could get high-quality findings in a matter of weeks.
There’s a growing playbook for what “good” looks like
Ten years ago, “good security” was hard to define. Every company was inventing it from scratch. Now, there’s a growing body of shared best practices, from open-source baselines like CIS Benchmarks and SSDF to playbooks from experienced security leaders.
There’s more content and higher quality than ever before. Great newsletters (like Return on Security), strong blogs from companies like Latacora, and a network of practitioners willing to share what’s working. The barrier to getting started is lower.
Practitioners like me have easier platforms to talk about various learnings in security, such as high-leverage security engineering tasks and how to use AI in security. We no longer have to rely on inconsistent word of mouth or long-winded Gartner reports.
You still need to adapt these ideas to your org, but you don’t have to invent them.
The basics are enough (at least at first)
This is something I continue to believe: for most organizations, doing the basics well still goes a long way. You don’t need a bleeding-edge threat intel pipeline or custom detection engineering team. You need good IAM, secure defaults, reasonable logging, and an incident response plan.
Most breaches are still caused by weak controls and poor hygiene. That means solving security isn’t about being clever. It’s about being disciplined.
I’ve seen small teams (even without dedicated security people!) get surprisingly far just by focusing on:
Eliminating public S3 buckets
Enforcing MFA with hardware keys
Setting sane RBAC defaults
Using off-the-shelf scanning tools
Running simple, well-scoped IR tabletops
These aren’t hard. They just require ownership. These are also easier to accomplish in the cloud, and the documentation available online has made this work much easier.
Takeaway: We don’t need to make security harder than it is
There are plenty of things that are still hard about security, and I’ve written about those, too. But we shouldn’t conflate challenges with excuses.
Security has gotten easier. The tooling is better. The data is clearer. The playbooks are more available. AI gives us leverage. And in many companies, executive awareness is higher than ever.
It’s still possible to mess all this up. But the bar for doing security well, at least at the foundational level, has never been more reachable.