In the late 1950s China started the 4 Pests campaign, to destroy (what they thought were) the pests undermining economic progress. 30 million people died. Why? Sparrows were on the list, and sparrows eat grain. Less sparrows = more grain, right? Except the sparrows also ate the locusts, who were now free to ravage the crops, precipitating a massive famine.
The fundamental element of any system, whether ecological or technological, is that the components are interconnected and (often) interdependent. You can’t change one without affecting the others. Risk itself is a great example of this—risk is not a “thing”, it’s an ecosystem of separate-but-interdependent elements: threats, vulnerabilities, sensitivity, criticality, impact, likelihood. Addressing any one of them in isolation will only precipitate unexpected consequences elsewhere.
When we pretend that cybersecurity is just a loose confederation of discrete technology verticals and not a system of interdependent inputs and outputs, we undermine our own effectiveness. One manifestation of this is pretending that aligning controls to attacker techniques on the ATT&CK Matrix means we can protect/detect/respond effectively in a horizontal sense, across the attack chain. It doesn’t, and many orgs discover too late that their internal silos represent people + process gaps that their tools cannot fill.
To get ahead, we cannot continue to believe the myth that a security organisation that is vertically-capable is inherently horizontally-capable. It simply isn’t true. James Clear’s advice in “Atomic Habits” applies just as much to cybersecurity as it does to anything else: we don’t rise to the level of our goals, we fall to the level of our systems.
