Cybersecurity incidents continue to rise despite record spending. Breaches persist mainly because organizations are making the same predictable decisions under pressure, often defaulting to short-term fixes that feel commercially sensible in the moment but increase long-term exposure. This may seem reckless after a breach, such decisions are usually framed as pragmatic responses to deadlines, budget constraints or operational urgency. Over time, however, they create patterns of behavior that attackers can reliably exploit.
“Many breaches happen because organizations make predictable decisions under pressure,” says Maman Ibrahim, Principal Partner at EugeneZonda and Founder of Ginkgo Resilience Ltd. “They focus on speed instead of having a sense of caution.” With more than two decades across IT audit, cybersecurity and digital transformation, he shares insights on how to reduce incidents, starting with changing how decisions are made every day.
Why Compliance Keeps Falling Short
Compliance is a lagging indicator that creates a false sense of security. This is a result of treating security as a box-ticking exercise; dashboards measure what was documented, not how the business actually behaves under stress. “We do audits, we do assessments, everything is green. But the volume of incidents keeps increasing,” he says.
At the same time, security teams are pulled in too many directions at once, with temporary workarounds piling up in the face of competing priorities compete. “Security teams lose against the business because they have too many priorities and too many exceptions,” Ibrahim says. The result is a widening gap between what organizations believe is secure and how their systems actually fail in practice. Bridging that gap requires a shift in mindset, away from reassurance and toward resilience, with a clearer understanding of how risk accumulates and manifests under real operating conditions.
Treating Cyber Risk as a System of Failure Paths
That shift starts by challenging one of the most persistent misunderstandings in cybersecurity: the belief that it is primarily a technology problem. “Usually security leaders mistake security for technology, when it’s mostly behavior,” he says. Cyber risk is a living system made up of people, incentives, suppliers and complexity. Many organizations, however, address it like a shopping list, adding tools, controls and policies after every incident.
A more effective approach is to analyze failure paths. Instead of counting vulnerabilities, leaders must ask how the business actually fails. Manufacturing, for example, has long focused on failure modes to prevent catastrophic breakdowns. Cybersecurity can borrow the same discipline by identifying where identity breaks down, where supplier access becomes dangerous, or where DevOps speed bypasses safeguards.
Activity is another false proxy for progress. Closing tickets, deploying patches and generating green dashboards can feel productive without materially reducing exposure. “It’s not because you are very busy that you are reducing exposure,” Ibrahim says. In one engagement, consolidating overlapping tools reduced the toolset by more than 60% and cut the risk surface by over 70%. Fewer controls, measured relentlessly, proved more effective than constant motion.
Designing Behavior
That realization points to a deeper issue beneath tools and metrics: the systems organizations build ultimately shape how people behave. Culture, often dismissed as soft, is deeply operational. It shapes how people respond when trade-offs appear. “Culture is the way you reward people, the way you fix frictions, the way speed is incentivized,” Ibrahim says. If procurement is rewarded solely for cost savings, fragile dependencies follow. If leaders tolerate one exception, privilege creep becomes normalized.
Rather than lecturing employees, Ibrahim emphasizes redesigning the environment so secure behavior becomes the default. Shared accounts and standing admin privileges should be eliminated, replaced by access that is clearly assigned to individuals, granted only when needed and automatically removed once the task is complete. Phishing resistance should be treated as a design goal, with strong email authentication and simple reporting, not endless awareness campaigns. Security must also be embedded into everyday workflows, from supplier onboarding and procurement to HR joiner and leaver processes. “Influencing behavior is less training than friction management,” he says.
Turning Incidents into a Learning Engine
Incidents tend to be treated as isolated crises, resolved and forgotten once systems are restored. Ibrahim sees them instead as production feedback. Rapid, blameless reviews within days should be followed by system-level assessments weeks later to test whether fixes actually held. The focus should be on how decisions need to change, not just which control failed. Controls evolve, thresholds shift and leadership judgment remains essential. Over time, incidents become inputs into a permanent improvement pipeline rather than one-off fire drills.
Clarity Will Matter Even More in an AI-Driven Future
Looking ahead, Ibrahim expects attackers to adopt AI faster than defenders, making static controls obsolete. Identity will become the primary battlefield as automated social engineering accelerates. At the same time, boards, regulators and customers will demand proof that controls work, not assurances that they exist. Security, in his view, is becoming an evidence supply chain. Telemetry, traceability and decision logs will matter as much as detection tools. “The winners don’t have the most tools. They own the clearest risk decisions,” he says. AI will not replace security leaders, but it will expose those who cannot explain, evidence and defend their decisions at speed.
Follow Maman Ibrahim on LinkedIn or visit his website for more insights.
