Kevin Beaver's Security Blog

Doing the Hard Things (in security, and in life)

Everything is easy until it’s not

When you start a new relationship, everything feels easy. It’s exciting. It’s fresh. You want to impress. You like being impressed. You want to explore. Every day feels like a new adventure. But then reality sets in. The fun stuff gives way to routine, and routine takes work. You start learning nuances and dynamics. You have to show up. You have to communicate. You have to do the right things, long after the excitement fades. That’s where the real relationship begins, and where most people start looking for something new. You don’t want to let relationships fail like that if you can help it. And you don’t have to…if you’re willing to do the work.

I see the exact thing in information security. When a new tool is released or a new “AI-powered” promise appears, people rush to it like it’s the answer to all their problems. It’s fun, it’s different, it’s shiny, and for a while it even feels like progress. But just like that first rush of infatuation, it doesn’t last. Eventually the cracks appear. The same old weaknesses show up again. The same people and process gaps. The same blind spots that were ignored before. Security incidents continue. And what happens next? Another distraction. Another shiny object to chase. It’s a new year with the same story…

Don’t get distracted, use what’s proven

We’re closing out 2025, and the distractions are endless. Everyone is talking about artificial intelligence like it will solve everything. Vendors are promising “next-gen threat detection,” “autonomous response,” and “self-healing networks.” Analysts are hyping “AI-driven resilience” like it’s a new religion (cult?). Meanwhile, the same security fundamentals are being ignored. Yes, new threats and solutions do emerge in our space. AI certainly has its place, but the promise often becomes the distraction. The “silver bullet” becomes the excuse not to do the hard work that’s been waiting for years.

Here’s the thing: real progress in security doesn’t come from excitement but rather discipline to do what’s right. From proper vulnerability and penetration testing, not just scanning for show. From patch and vulnerability management combined, not just applying patches in a vacuum. From knowing exactly where your information lives on the network, and proving it. From reasonable passwords that balance security with reason. From proper monitoring and visibility that reveal what’s really happening. From cybersecurity incident response planning and practicing instead of treating it as a paperwork exercise. None of this is glamorous or tweet-worthy, but it’s what works IF you do it day in and day out. Yes, I know it’s boring, but I’ve seen it for decades… it’s what works with security.

You can’t secure what you don’t acknowledge. Yet the industry keeps pretending it’s going to find “the one,” the perfect tool that makes all the hard stuff go away. That’s not how it works. Relationships don’t improve because you buy a new engagement ring, and security doesn’t improve because you buy a new product or outsource a new service. It improves when you do the hard things periodically and consistently over time.

An eye-opening resource to leverage

Back in 1973, James Martin wrote Security, Accuracy, and Privacy in Computer Systems. It’s a book that laid out core principles for many of the core principles of security we still rely on. Those ideas are more than fifty years old, and yet we continue to struggle with them today. Why? Because people keep chasing what’s new instead of doing what works. We don’t have a knowledge gap or “cybersecurity skills gap” as many like to call it. We have a discipline gap. We don’t need more products, systems, and complexity… what we need is willingness and discipline to do what we know needs to be done. If you haven’t read my earlier piece on this, check out Famous Quotes and Their Bearing on Information Security. It’s a reminder that these lessons have been right in front of us all along yet we often choose to look the other way.

What’s needed for better security moving into 2026

If your security program feels calm, predictable, even a little boring, that’s not a failure in my opinion. That’s maturity and grace. It means you’ve stopped chasing hype and started doing the work that actually reduces risk. The daily disciplines. The uncomfortable conversations. The accountability that no one likes but everyone needs. Just like in relationships, it’s not about what feels good in the moment. It’s about showing up day after day and doing what’s right.

You don’t need more excitement in your security program. You need more consistency. You don’t need more tools. You need more truth. You don’t need to fall in love with the next shiny object regardless of what your salesperson and sales engineer promised. You need to stay committed to the one you already have (your security program) and make it better. Because if you don’t, someone else will gladly take advantage of that neglect.