Forget what you've been told by the industry. Security issues are the result of defects in how infrastructure and processes are designed, built, maintained, and operated.
The real question is: why has the organisation, through its operating model and incentives, allowed-or even promoted-the behaviours that led to those defects in the first place?
For decades, cybersecurity has focused on identifying, prioritising, and mitigating the consequences of these defects through increasingly complex and expensive technologies, frameworks, and controls-often in ways that remain opaque to the executives accountable for the outcomes.
But their true causes lie in organisational structures, operating models, incentives, priorities, and decision-making-often driven by fragmented ownership and poor cost modelling.
The good news? The underlying causes of these failures are not technical problems at all. They are familiar business problems executives already understand-and are uniquely positioned to solve.
By addressing these organisational conditions first, leaders create organisations that are not only more secure, but also more efficient, more resilient, and more profitable.
For more than two decades, Greg van der Gaast has been asking a simple question: if organisations spend billions on security, why do the outcomes keep getting worse?
Today, as founder of Sequoia Consulting, he helps leaders identify and address the structural causes of poor security, risk, quality, and performance outcomes.
Independently Published
979-8-1823-1495-4

