The Verizon 2025 Data Breach Investigations Report ulnerability exploitation jumped 34% in 2025ecurity investment was at a record high.

We talk a lot about the cybersecurity industry’s spending problem. Security budgets keep climbing, tool counts keep rising, and headcounts keep growing, yet breaches keep happening.

As I discussed in a recent LinkedIn Live with Tanya Janca, CEO of SheHacksPurple and one of the most respected voices in the AppSec world, the incentive structures we’ve built around security investment is the problem. Until we’re honest about what’s driving those structures, no amount of budget is going to move the needle where it matters.  

The hard truth is that the cybersecurity industry has confused activity with effectiveness and complexity with capability. What’s more important is whether your security stack is actually making you more secure or just making you feel like you are.

Why more investment isn’t translating to more security

The numbers tell a story the industry would rather not acknowledge. Security budgets are at record highs. Tool stacks have never been longer. And yet the average enterprise is drowning in vulnerability backlogs so large they’ve become functionally meaningless.

Tanya mentioned that she’s seen clients carrying 40,000 critical vulnerabilities sitting in a single backlog with no realistic plan to address them. This is security theater at scale.

Unfortunately for many security teams, buying a new tool has simply become the default answer to every security question. And each new tool comes with its own alerts, dashboard, and integrations that don’t quite work with everything else you’ve got.  

The result is a sprawling, overlapping, contradictory mess that consumes enormous resources while leaving dangerous gaps.

What makes this particularly insidious is that the activity looks productive. When dashboards are full of data and tickets are being closed out, it’s easy to believe that you’re secure.  

But as Tanya observed, we’re confusing being busy with being effective. Knowledge workers, security professionals included, often show effort through visible, measurable, high-frequency activity rather than the deep, strategic work that actually moves outcomes.

For attackers, complexity is a feature, not a bug

Attackers depend on your environments being complex. They have low risk, high reward, and near-infinite patience. They just need to find the one gap where all of your overlapping tools don’t talk to each other.

“When people used to rob a bank, they walked in with a gun,” Tanya said. “Now they do it virtually, and they can try to rob 100 banks without getting caught.”

That asymmetry is the defining challenge of modern cybersecurity.  

And as Tanya noted, they’re remarkably good at finding those gaps. “As we get good at the perimeter, they attack the application. As we make zones, they attack the supply chain. They move to the easiest target, wherever that is.”

Every new tool you add creates new potential gaps. Your attacker is facing your weakest link. And the more complex your environment, the harder it is to find that link before they do.

Why the vibe-coding problem is about to get much worse

If tool sprawl is the slow-burning fire, AI-generated code is the accelerant.

The rise of “vibe coding” — using AI tools to generate code rapidly with minimal security consideration — is fundamentally changing the threat landscape in ways most security teams aren’t ready for. The volume, speed, and reach of insecure code being shipped into production right now is staggering.

“AI was trained on low-quality code,” Tanya said. “It’s not that the AI companies intended to do that; it’s just what was available. The code on the internet is lower quality than private closed code. Most open-source projects don’t have a security team.”  

We’re using models trained on low-security code to generate more code at unprecedented speed. This is often by people who have never thought seriously about secure development practices.

Tanya shared a particularly alarming example from a recent client session. Sixty participants ran the same AI code generation prompt, with the same security constraints applied. One of the outputs added comments instructing the Python linter to ignore certain code and then intentionally leaked secrets.  

A risk like that is already active in your environment. Is your security program designed to see it?

Shifting left on security culture

So what does good security actually look like in today’s threat landscape? The answer centers on fundamentally rethinking where and how security enters the development process, not on acquiring more tooling.

Tanya has been making this case for years. “It’s easier to hire a company to deploy a tool, put a bunch of checks in the pipeline, and say ‘it’s the devs’ problem now.’ That is not the best security program you can make.”

For security leaders, this means that two or three well-deployed AppSec professionals embedded in development teams may deliver more security value than a six-figure tool contract that nobody uses properly.  

The ROI math changes when you start measuring security outcomes rather than security activity.

Tanya also made a point about the power of defaults. She described a simple configuration change, such as setting a node package manager (NPM) to not run post-install scripts by default. Just that change can eliminate an entire class of supply chain attacks.  

“AppSec teams need to focus on where you can eliminate an entire class of bugs or where you can set a default that protects you against a huge blast radius,” she said.  

The mindset shift is moving from “what tool do I buy to fix this?” to “what systemic change eliminates this category of risk?” Sometimes that includes new tools, but it doesn’t necessarily have to.

Building a security team that’s fit for the AI era

If you were building your security team from scratch today, what would it look like?  

Tanya said she’d want three distinct profiles:  

• Someone deeply curious about AI and comfortable building with it
• Someone with strong social skills who can speak both “nerd” and “boardroom” and build the cross-functional consensus that security transformation requires
• A deeply technical practitioner who can break things, review code, and find the holes before attackers do

For Tanya, that balance matters more than headcount. A team of four embedded in development workflows, focused on eliminating risk categories, will consistently outperform a team of ten running compliance checklists.

From my perspective at Illumio, I’d add one more lens to this: resilience.  

Before you think about building a team or selecting tools, start with strategic questions:

• What does security need to deliver for your business’s resilience posture?  
• What does containment look like if a breach occurs?  
• How does your security architecture limit lateral movement and reduce an attack’s blast radius?  

The tools and teams should flow from that answer, not the other way around.

Security teams can’t afford to wait

The security problem is compounding faster than traditional investment models can respond.  

Writing a bigger check to the same vendors for the same tools won’t close that gap.  

What will?  

• An honest audit of where your budget is actually generating outcomes
• A willingness to cut tools that create noise without coverage
• A commitment to embedding security before the code that needs securing even exists
• A strategic anchor in cyber resilience

The industry has told itself a comforting story for too long: more spend equals more security, more tools equals more coverage, and more alerts equals more awareness.  

None of those equations hold up in modern cybersecurity. What matters now is whether you figure that out proactively, or the attackers figure it out for you.

Our next Hard Truths LinkedIn Live brings together two people who built Zero Trust. Register today to join John Kindervag and Chase Cunningham for their discussion, Stop Treating Symptoms: Why Cybersecurity Keeps Relapsing.