A lot within cybersecurity has remained constant since the inception of the computer: passwords still get shared, confidential data still leaks, and attackers still hide in the shadows. What has changed, drastically, is the environment these weaknesses now sit in. Digital systems underpin critical economic activity, keeping supply chains moving and essential services running, writes Gavin Millard, pictured, Senior Vice President, EMEA at Tenable.
Yet, despite this seismic shift in the threat landscape, many organisations are trapped in active inertia. This management phenomenon occurs when leaders respond to disruptive change by accelerating the activities that brought them past success. Like a car stuck in the mud, the wheels spin furiously and the engine roars, but the vehicle only digs itself deeper into the rut. In cybersecurity, this isn’t a lack of effort; it is the dangerous acceleration of outdated “success formulas” in a world that no longer rewards them.
When Success Becomes a Trap
Security teams often believe their biggest hurdle is an uninformed executive board. In reality, the issue is rarely ignorance, it is the calcification of legacy strategic frames. Boards are rarely apathetic; most are terrified of being the next headline and are actively approving cyber spend. The problem is that they are suffering from active inertia, treating a “passed audit” as a synonym for “secure”.
This creates “strategic blinders” where processes become rigid routines. We see teams drowning in spreadsheets, working 80-hour weeks to patch “critical” vulnerabilities that represent zero actual risk, simply because a policy written a decade ago says so. Following a framework becomes an unquestionable dogma, even as attackers move from initial breach to full domain compromise in hours. When the threat environment shifts from human-scale to automated exploitation, doing the wrong things faster only speeds the collapse.
The Circuit Mindset: Measuring Resistance
To break this inertia, we must stop viewing our environment as a static list of compliance building blocks: CVEs; identities; misconfigurations; and exposed assets. While tools like Attack Path Analysis (APA) help, they often just draw lines between parts in a pile without capturing the dynamic nature of an attack.
A more pragmatic mental model is to think of exposure as a circuit. Attackers behave like electrical current, naturally flowing through the path of least resistance. It doesn’t matter if a path is long or short, a complex path with zero resistance is infinitely more dangerous than a short path requiring nation-state level effort to traverse.
True proactive security is about raising the resistance at the steps that matter. We must identify the “resistors” and not just high CVSS scores but the weak passwords and cloud misconfigurations that offer zero resistance. We must also recognise “voltage”: a vulnerability actively exploited in the wild carries a far higher charge than a theoretical flaw on a test server.
Culture Over Compliance
Technical controls like continuous monitoring and secure architecture are vital, but without a shift in team culture, even advanced tools fall short. Active inertia is often reinforced by a fear-driven culture that discourages transparency, causes team burnout and slows remediation.
Real resilience requires psychological safety. Practical initiatives, such as “vulnerability amnesties,” allow teams to identify and fix weaknesses without fear of repercussion for past oversights. This breaks the cycle of inertia by prioritising actual risk reduction over the mere appearance of following a process.
Building True Resilience: Absorbing the Shock
Cybersecurity is no longer just about 100 per cent prevention — a mathematical impossibility. The focus must shift to how organisations can absorb shock while continuing to function. This requires:
● Safe Degradation: Designing systems so they don’t fail all at once.
● Leadership Clarity: Boards need a direct line of sight from a cyber incident to its financial and strategic impact.
● Modern Cadence: Moving from 90-day patch cycles to a 24-to-72-hour window for exploitable assets that could lead to a business impact.
This shift is critical in the supply chain, where relying on annual questionnaires — a classic “busy work” routine — is no longer sufficient. With one in 10 UK businesses stating they would be unlikely to survive a major cyber attack, the economic fallout is too great to ignore.
The AI Reality Check
The urgency to pivot is driven by the speed of AI adoption within the attacker economy. AI-powered attackers use ruthlessly efficient automation to exploit low-resistance exposures at scale. You cannot scale a linear, human process to match exponential machine speed. If you fight AI-driven attacks by simply demanding analysts close more tickets or shrinking SLAs, you have already lost.
To outpace the modern attack, we must fight AI automated attacks with AI powered mobilisation. The prioritisation of what matters and the remediation of those issues must be as automated as the attack itself.
Conclusion
The differentiator in the modern landscape will be leadership that recognises when old success formulas have become liabilities. By fostering healthy team dynamics, adopting a “circuit mindset” to measure resistance, and treating cybersecurity as a strategic business issue, organisations can finally gain the traction they need to break the cycle of active inertia.
