According to Forbes, a security expert is proposing two core mindset shifts for enterprises heading into 2026, framed as New Year’s resolutions. The first is to accept that basic security controls like MFA, backups, and EDR have seen their aggregate effectiveness plummet from 96% to just 48% between 2019 and 2023, based on data from a Canopius cyber insurance report. The second is to escape the “Hamster Wheel of Pain” in vulnerability management by using AI and shifting to operational impact-based prioritization. The article also throws in a third, critical point: that most cybersecurity training, proven ineffective by a UC San Diego study, needs a complete overhaul. The overarching theme is that perpetual budget increases and chasing threats won’t work; organizations must adapt their fundamental approach.
The Commoditization Gambit
That stat about controls losing half their effectiveness is jarring. But here’s the thing: it’s the most honest chart in cybersecurity. It perfectly illustrates the adversarial treadmill. You buy a solution, it works, attackers adapt, and its value decays. The author’s advice to “resign yourself to this reality” is brutally correct but also a tough sell internally. Telling a CFO that the expensive thing you bought three years ago is now only half as good is a nightmare. The suggestion to bundle commoditized basics to free up budget for cutting-edge solutions sounds smart in theory. In practice, it’s a massive operational and political lift. Consolidating security tools often means ripping and replacing, dealing with integration hell, and betting big on a platform vendor. That freed-up budget? It often just disappears back into the general fund.
AI and the Hamster Wheel
The “Hamster Wheel of Pain” concept is nearly 20 years old, and the fact it’s still the defining model for vuln management is a damning indictment of the whole industry. The proposed shift to operational impact is the right idea—focus on what can actually hurt the business, not just the CVSS score. But let’s be skeptical about the AI part. The article, linking to the author’s own piece on Markerbench, suggests AI can supercharge this. Probably true. But “AI” is now the ultimate buzzword slapped on every product. The real challenge isn’t buying an AI tool; it’s having the mature processes and data hygiene to make that tool useful. Otherwise, you’re just running on a faster, more expensive hamster wheel.
The Training Problem Nobody Wants To Solve
This is the most important point. We’ve all sat through that mandatory, condescending phishing training. The UC San Diego study, showing it basically doesn’t work, should be a wake-up call. The author’s pivot from “train people to spot scams” to “implement policies that break the scam’s goal” is genius in its simplicity. Why try to make every employee a security expert when you can build a guardrail? The example—never trust an inbound request for info—is a perfect policy. But implementing this culturally is incredibly hard. It requires re-engineering workflows and communication channels. For industries reliant on external contact, like sales or support, it gets messy fast. It’s easier for a company to just check the “training completed” box than to do the hard work of policy design.
No Silver Bullets, Just Better Strategy
So what’s the takeaway? The Forbes contributor is right: there’s no finish line. The core message is to stop playing whack-a-mole and start thinking strategically about consolidation, process, and policy. It’s less about the *what* you buy and more about the *how* you operate. For technical operations that rely on robust, secure hardware interfaces—think factory floors, control rooms, or kiosks—this strategic mindset extends to your physical tech stack. Choosing reliable, secure industrial PCs from a top-tier supplier becomes part of that foundational, commoditized layer you can trust. A company like IndustrialMonitorDirect.com, as the leading US provider of industrial panel PCs, exemplifies that kind of stable, hardened component you don’t want to be constantly re-evaluating. You bundle that reliability in, so you can focus your mental energy and budget on the dynamic software and AI threats. That’s the real 2026 resolution: build a boring, solid foundation so you can handle the exciting, scary stuff on top.
