{"id":15798,"date":"2026-02-13T12:06:16","date_gmt":"2026-02-13T12:06:16","guid":{"rendered":"https:\/\/newestek.com\/?p=15798"},"modified":"2026-02-13T12:06:16","modified_gmt":"2026-02-13T12:06:16","slug":"the-foundation-problem-how-a-lack-of-accountability-is-destroying-cybersecurity","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15798","title":{"rendered":"The foundation problem: How a lack of accountability is destroying cybersecurity"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A tale of two industries<\/h2>\n

The United States Navy takes 18-year-olds fresh out of high school and trains them to operate nuclear reactors in 18 months<\/a>.\u00a0These aren\u2019t college graduates. They\u2019re not experienced professionals. They\u2019re young people with the right potential who go through the most rigorous, structured program in the military that transforms them into personnel trusted with some of the highest-stakes responsibilities imaginable.<\/p>\n

Meanwhile, in cybersecurity, we claim we can\u2019t find qualified people.<\/p>\n

We claim there\u2019s a talent shortage, that candidates just don\u2019t have the skills we need. We look for unicorns, saying training takes too long. We constantly search for senior professionals who, we say, will \u201chit the ground running,\u201d while junior candidates watch their growth opportunities evaporate.<\/p>\n

The problem isn\u2019t the candidates. The problem is leaders who won\u2019t take ownership of building the teams that we need and won\u2019t follow through on development. This is leadership that chooses the path of least resistance instead of doing the hard work of creating foundations for success.<\/p>\n

How do I know this? I was one of those nuclear reactor operators for 22 years. Now I work in cybersecurity. If we can train nuclear reactor operators from scratch, we can train security analysts. We\u2019re just choosing not to.<\/p>\n

But refusing to train candidates is just one symptom of the deeper disease. Across the technology fields, we\u2019re seeing a pattern of leadership failures that all share a common thread: lack of accountability and ownership. Leaders who only conduct surface-level analyses instead of finding real root causes. Leaders who stay disconnected from their teams while technical debt accumulates into genuine security risks. Leaders who avoid hard conversations with the business because they simply don\u2019t know how to frame cybersecurity as a risk reduction mechanism or as anything more than a cost center.<\/p>\n

The accountability gap<\/h2>\n

When leaders don\u2019t take ownership, it shows up in predictable ways. Some are obvious, like teams that have a high turnover rate, projects that never finish or the same problems recurring month after month, year after year. Others, like technical debt, are far more insidious. Technical debt accumulates until it becomes a critical vulnerability, and until the interest you\u2019re paying to keep the business running somewhat smoothly is more work than the normal operational work you do.\u00a0 Technical debt is also its own form of risk. It presents itself in vulnerabilities and in customer churn when all of those manual processes break as someone on your team exits the business.\u00a0 Finally, root cause analysis that stops at comfortable answers instead of hard truths is another huge sign. Let\u2019s be honest about what leadership failure looks like today.<\/p>\n

Surface-level root cause analysis<\/h2>\n

The incident happens. The post-mortem gets scheduled. The team gathers, reviews a timeline that isn\u2019t quite right, but good enough, and they all toss out some contributing factors. A report gets written. Everyone acknowledges the corrective actions. And then nothing happens. A research paper<\/a> published in Computers & Security<\/em> states that researchers \u201cfound little evidence of thorough investigations to find the underlying causes.\u201d<\/p>\n

Then a similar incident happens again.<\/p>\n

Real root cause analysis is hard. It requires asking \u201cwhy\u201d until you\u2019re uncomfortable with the answers \u2014 the truths \u2014 about processes that don\u2019t work, decisions that seemed reasonable at the time and assumptions that were wrong. It requires being willing to discover that you, as a leader, contributed to the problem through your action or inaction.<\/p>\n

Surface-level analysis stops at the first convenient answer and never addresses the real why. But the cost of stopping too early is being actively measured in recurring incidents, customer churn and team demoralization, which contributes to team turnover as well. When the same types of problems keep happening, your team learns a lesson: leadership doesn\u2019t actually want to fix things. They want to be seen going through the motions.\u00a0 Taking ownership means following the chain of causality until you find something you can actually fix, and then fixing it. That\u2019s accountability.<\/p>\n

The perfect hire fallacy<\/h2>\n

The Navy\u2019s Nuclear Propulsion Program takes 18-year-olds with the right aptitudes and trains them to operate nuclear reactors in all corners of the globe in 18 months. These aren\u2019t college graduates, and these aren\u2019t people with years of experience. Just the right attitude and aptitude in someone, placed into a rigorous, structured training program that transforms them.<\/p>\n

The program builds talent, but meanwhile, in cybersecurity and information technology, we claim we need someone with five years of experience in a technology that\u2019s only been around for five. We ask for security analysts who are also developers and who understand compliance frameworks.<\/p>\n

This is laziness disguised as pragmatism. In fact, less than a quarter of respondents to a recent survey<\/a> of cybersecurity professionals believe that management actively tries to reduce their stress. Half reported that senior management adds to their stress.<\/p>\n

We\u2019re avoiding the truth that training people requires leadership effort. It requires creating structured learning paths, providing mentorship, investing time in developing capabilities. It requires true engagement in people\u2019s growth instead of just assigning tasks. It\u2019s hard work, and many leaders simply don\u2019t want to do it.<\/p>\n

So instead, we hunt for unicorns, wondering why our teams never stabilize, and why talented people decide to leave the field entirely when they realize there\u2019s no path forward for them.<\/p>\n

Technical debt as leadership failures<\/h2>\n

Every technology leader has a mental list of technical debt. Systems that need updating or configurations that need to be hardened. Monitoring gaps that need to be closed. We know that all of these exist \u2014 in fact, we document them and track them in our project management tools.<\/p>\n

And then we don\u2019t demand the time to fix them.<\/p>\n

We tell ourselves the business doesn\u2019t understand, it\u2019s budget constraints or we\u2019ll get to it next quarter. What we\u2019re really doing is failing to translate technical debt into business risk in a way that demands action.<\/p>\n

The uncomfortable truth is that we\u2019re not demanding that technical debt be addressed as part of product development cycles because that would require hard conversations. Conversations where we tell business stakeholders that moving fast now will mean paying a higher price later. Conversations where we advocate for investment in things that don\u2019t create visible new features.<\/p>\n

These conversations are part of our job. When we don\u2019t have them \u2014 when we accept the accumulation of more and more manual tasks to keep things running that should\u2019ve been automated multiple sprints past \u2013 then we\u2019re choosing short-term comfort over our actual responsibility to the business.<\/p>\n

Why this happens<\/h2>\n

These patterns don\u2019t just happen by accident. If they did, we wouldn\u2019t see them in so many places. They happen because of choices \u2014 choices individual leaders make, choices organizations make about how they develop (or don\u2019t develop) their leaders, and choices businesses make about how they treat their security functions.<\/p>\n

Let\u2019s start with the uncomfortable truth that we don\u2019t have any real leadership training in the industry. We promote technical people into management roles and expect them to figure out leadership on their own. Then, we act surprised when these newly minted leaders manage the way they were managed \u2014 or worse, when they don\u2019t manage at all.<\/p>\n

Other professions do invest in their leadership. Healthcare has residencies and fellowships that teach leadership roles. Business schools teach management principles. But in our industry, we throw people into the roles and hope they figure it out.<\/p>\n

Lack of training doesn\u2019t fully explain the problem, however. There\u2019s an individual component at stake. The fundamentals of good leadership aren\u2019t mysterious: follow through on commitments, dig deep to understand root causes, stay engaged with your team and have hard conversations when necessary. These aren\u2019t advanced concepts requiring an MBA. They\u2019re basic accountability and ownership.<\/p>\n

Many leaders know this is what they should be doing. They\u2019re choosing not to do it because it\u2019s hard. It\u2019s easier to hire than to train, and it\u2019s easier to accept surface-level answers than to keep asking why until you get to those uncomfortable truths. The path of least resistance is the road well-travelled, unfortunately.<\/p>\n

Finally, the third piece to this puzzle, the dilemma we face, is a systemic failure of business leadership to also do its own introspection. Why does the business have high churn, both with customers and within teams? Are we setting people up for failure? Do we create conditions where good leadership is possible?<\/p>\n

The result of all three of these factors is a self-fulfilling prophecy where we make people into managers with no training, and then they may make it into business leadership, still not understanding how to look at things like technical debt because their leaders didn\u2019t make it seem important to them either. This causes teams to burn out, simply because the fundamentals of good leadership aren\u2019t being practiced.<\/p>\n

This isn\u2019t all a sad story, however. Choices can be changed. But only if we\u2019re willing to be honest about what we\u2019re choosing and why. Leadership accountability isn\u2019t complicated \u2013 it just requires choosing to do the work.<\/p>\n

The teams we could build<\/h2>\n

Imagine cybersecurity teams where people want to stay and grow. Where junior analysts see clear paths to becoming senior practitioners. Where the same problems don\u2019t recur because leaders actually implement fixes. Where technical debt gets addressed because leaders translate it into business risk that demands action. When these things happen, success compounds because you\u2019re building on solid foundations instead of starting over.<\/p>\n

These teams do exist. They\u2019re led by people who take ownership. The talent is there. The knowledge of what good leadership requires is there. What\u2019s needed is simply the choice to do it.<\/p>\n

We don\u2019t have a talent shortage in our industry. We have a leadership accountability gap. And unlike the talent market, that\u2019s something we can actually control.<\/p>\n

The foundational problem has a foundational solution: take ownership. Follow through. Build people. Have the hard conversations. Do the work.<\/p>\n

The teams and the culture that we all want are waiting on the other side of that choice.<\/p>\n

This article is published as part of the Foundry Expert Contributor Network.
Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A tale of two industries The United States Navy takes 18-year-olds fresh out of high school and trains them to operate nuclear reactors in 18 months.\u00a0These aren\u2019t college graduates. They\u2019re not experienced professionals. They\u2019re young people with the right potential who go through the most rigorous, structured program in the military that transforms them into personnel trusted with some of the highest-stakes responsibilities imaginable. Meanwhile,… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15798","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15798","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15798"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15798\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}