We’ve been fed so much fear, uncertainty, and doubt.

‍

We were told that every system can be hacked.

That our adversaries only need to be right once.

‍

We were told we’re one zero-day away from compromise.

That it’s not ‘if’ we’ll be hacked, but ‘when’.

‍

From the start, this doom-and-gloom narrative framed cybersecurity as a losing battle.

An outcome that was unwinnable and inevitable.

A fight we’re expected to approach with cynicism, not conviction.

‍

Then came the vendors.

They promised salvation.

They pitched their proprietary, patented, advanced, 360-degree, cloud-enabled, enterprise-ready, award-winning, next-generation, military-grade, zero-trust, AI-powered single pane of glass.

‍

And their message?

‍

Scan more.

Alert louder.

Patch faster.

‍

And always keep spending.

‍

Like security is a subscription to peace of mind.

Billed annually.

‍

“How much does it cost?” we ask.

“It depends,” they smirk. “What’s your budget?”

‍

Management signs the purchase order.

Six figures and six months of painful integration.

And we’re still breached.

‍

We call support. They shrug.

“You must have deployed it wrong.”

No accountability.

‍

“But good news!” they say.

“Our product roadmap has a new feature.” 

“We’d love your feedback.”

‍

We’ve played this game before.

We know how it ends.

‍

We Know Better.

‍

Security starts with understanding the mindset of those who would break it.

‍

Our adversaries are people.

They’re sentient, with motives, methods, and patterns.

They can be studied, disrupted, forced to change.

Beaten.

‍

Breaches aren’t magic.

Most aren’t zero-days.

They’re the result of configuration mistakes, reused credentials, forgotten servers, and unpatched software left exposed for years.

‍

We know the difference between what’s possible and what’s probable.

Only a small fraction of all known vulnerabilities are ever exploited.

We know which ones they are because we looked.

‍

We’ve read the breach reports.

Inspected the traffic.

Followed the money.

‍

Our adversaries are getting faster and scaling better.

But sophisticated? Only if you believe the PR.

Mostly, they’re opportunists looking for an easy win.

‍

No one in the industry is surprised by the root causes of breaches.

The sophistication impresses us about as much as compliance frameworks scare off adversaries.

‍

What stops our adversaries is building systems where attacks fail.

Not by luck, but by design.

‍

Raising their costs.

Making them spend more time, more money, more effort than a breach is worth.

‍

Fixing the issues we know lead to breaches and cause losses.

Because security isn’t about fixing everything.

It’s about prioritizing.

‍

But prioritization without evidence is guessing.

And guessing will not keep people safe.

‍

We reduce risk to what we can live with.

We preserve trust without chasing perfect security.

‍

Don’t just defend.

Don’t just survive.

Force adversaries to shift.

‍

It has been done before.

It can be done again.

‍

The Path Forward.

Yesterday's ideas, or stale wisdom disguised as strategy, will not get us there. 

Neither will dashboards colored red, orange, and yellow, as if color-coding ever stopped an exploit.

‍

High, medium, and low do not tell us what matters, when to act, or how much to invest.

‍

We will get there by believing most people are doing the best they can with the data available.

If we want better, we must give them better data.

‍

AI will not save the day.

It will not ruin it either.

Just like Machine Learning didn’t.

Just like Cloud didn’t.

Just like SaaS didn’t.

‍

The future will not be protected by buzzwords.

It will be protected by people who stay positive in a job designed to find what is wrong with everything.

It will be protected by us.

‍

We are security optimists.

Not blind. Not naïve.

The kind who look at hard problems and say,

“We can make this better.”

‍

We reject the idea that compromise is inevitable.

That our adversaries will always have the upper hand.

That periodic disruption to our business is the status quo.

‍

We know we can win with sharper insights, clearer signals, and evidence that cuts through the noise.

‍

We pursue progress, not perfection.

We challenge dogma and reject complexity for complexity’s sake.

‍

We demand products that work as advertised.

Vendors who stand behind them.

With accountability, warranties included.

‍

If a product cannot back up its claims with proof that it prevents loss, what is the customer really paying for?

‍

We speak the language of business: cost, value, outcomes.

We translate risk into dollars because security that cannot justify its spend will not survive the next board meeting.

‍

The most potent security controls are well-articulated, evidence-driven, and measurable.

‍

We are here to protect people and organizations. 

A responsibility we take seriously.

This is our moment.

Because in the end, securing the future is worth fighting for.

‍

Regards,

Jeremiah Grossman

Co-Founder / CEO, Root Evidence