Over the years, a pattern has emerged. A pattern that worries me. A pattern that indicates that security "professionals" still don't get it.
This pattern suggest a big majority of high level security professionals (I.E. CSOs, CISOs, CIOs,, CTOs, Sr VPs) still approach security is either a purely technical problem, or one that only serves a "mandatory checklist" or certification.
With that kind of approach and mindset, there is no question security will remain an endless loop of the same old problems solved by the same old (unsuccessful) solutions.
This is bad.
Security doesn't live only on the technical domain, Security is not just a piece of software, some "mitigating controls", and AI SIEM detection. Security is not a collection of buzzwords that cost money, that give you the cover your ass checkbox marked as done.
Security starts a lot sooner than technology. It begins with the culture, the people, the way things are done. It begins with the idea behind the organization, the idea that drives the ways things are done, the policies and best practices. It starts with the top of the top, the leadership and the organization's influencers. It's a purely metaphysical problem, with shades of gray to make it even more complex. It's a human problem.
It is only at the end of the spectrum that it becomes a technical problem.
In order to solve this problem, it is necessary for security professionals to be two different people, to act as two different minds: you have to understand the organization you are trying to defend, while at the same time understanding the adversary that will come after you.
Fail to do either, and security will not work. Period.
In order to apply the proper level of defenses, you have to know what makes your organization function, what is at its core, and what are the most valuable assets, things that if you deny or take away will make your organization suffer or fail altogether. At the same time, in order to apply successful defenses, you need to know who can attack you, how they would attack you, what would they use to attack, what would their focus be, and what would be the attacker's end goal. You need to understand how your defenses would stand against all this, how your policies and people will react to the attack, and whether your organization has built-in resiliency to survive an attack, when it comes.
So, you see, offensive and defensive security are in fact one thing. They are interconnected, and you can't have security without one of them.
Solving a technical problem is only one tiny part of the puzzle.
You need to start mixing adversarial thinking into your program. You need to start changing your mindset and begin at the top, the "Level 4" Red Teaming. You need to start factoring history, the driving forces behind your industry, the current political trends, the economy, the people and their motivations, your organization's main ideals. Then, only then, start going down the ladder into the physical realm and finally the technical world.
You need to start Red Teaming. And no, Red Teaming is NOT pentesting.
Red Team it. Get to the next level.