The cybersecurity industry is perpetuating a $240 billion lie1, and you and I are part of it.
We've been inside the boardrooms, selling business leadership on the virtues of controls and compliance to turn metrics green, focusing on isolated outcomes over holistic processes. That budgets should go to certifications and tooling, not capabilities. That risk and control registers lead to resilience. That saying a "quick yes" to engineering changes is more valuable than enabling growth sustainably.
What's actually happening: We're selling theatre instead of transformation. We're fighting for budgets and resources instead of capabilities that enable business growth.
The Theatre in Action
Walk into any boardroom and watch the performance unfold:
"We need SOC 2 certification to win this deal" - while ignoring whether the business can actually protect what matters
"Our risk register shows we're compliant" - while executives approve risks they fundamentally don't understand
"Security prevented 10,000 attacks this month" - a meaningless metric that sounds expensive to maintain
Persisting in treating security like cost centres and reacting to threats instead of proactively building strategic security will not only hold us back but is a losing game. The winning game belongs to those who start treating security like finance - as a discipline that enables growth through intelligent risk management. Those companies will be eating their competitors' lunch.
The Inflection Point
What we’re advocating isn’t about tweaking security programs. We're at a fundamental inflection point where cybersecurity transforms from cost centre to competitive weapon2. It’s that, or you get left behind entirely3. The consequence of that means falling victim to a downward spiral where lack of strategic foresight leads to more reliance on outsourced security services and SaaS solutions4 that become misaligned to the company’s strategic objectives – perpetuating cyber as tools and processes and not as strategic assets for business value creation.
The organizations winning this transformation understand something their competitors don't: security posture creates genuine business differentiation. While others buy compliance theatre, they're using security to:
Access regulated markets like healthcare and finance that require demonstrated security maturity
Command premium pricing from security-conscious customers
Accelerate time-to-market by building security in, not bolting it on
Win enterprise contracts that require demonstrated, not documented, security capabilities
This is the same evolution credit risk management underwent decades ago - from "preventing bad loans" to "optimizing risk-return profiles for maximum profitable growth".
What Transformation Looks Like
Instead of asking "What did we get for our $185M security investment last year?" forward-thinking leaders ask "What market opportunities did our security posture unlock this quarter?"
Instead of presenting security as "We need $10M to prevent breaches," they frame it as "Our security maturity enables the $50M remote workforce strategy and qualifies us for Fortune 500 supplier requirements our competitors can't meet."
The frame defines everything. And the companies setting the right frame first are building competitive moats while their peers burn budget on security theatre.
The Winners and Losers
Winners: Organizations that recognize cybersecurity as a business enabler and treat it with the same strategic rigor as finance or operations. They'll dominate markets while competitors explain breach headlines to customers.
Losers: Companies stuck in the compliance and control tick-box mindset, forever chasing the next certification while missing the fundamental business transformation happening around them.
The $240 billion cybersecurity industry has a choice: continue profiting from confusion and theatre, or demand the business transformation that creates real value. I know where I stand.
Business leaders have the same choice: keep buying the lie, or recognize that security done right isn't a cost to be minimized - it's a competitive advantage to be maximized.
The question isn't whether this transformation will happen. The question is whether you'll lead it or be left behind by it.
Gartner forecast that 2026 Cybersecurity spend will be approximately $240 billion (Gartner News)
This invokes a need to reframe our security needs from costs and obligations to enablers and strategic assets (Article: Never lead with cost)
The future of Cybersecurity is evolving on several planes but changes to technology through generative AI and AI enabled threat actors will deeply exacerbate this trajectory (Article: The new battlefield)
Organizations struggling with supply chain vulnerabilities and limited internal security capabilities increasingly default to third-party solutions, creating deeper dependencies rather than building strategic security assets. (Paper: World Economic Forum 2025 / Accenture: p. 24, 25)