10 Things I Hate About Cybersecurity

Bojan Simic (01:18):
Hello everyone! Hey Chase, good to see you.

Dr. Chase Cunningham (01:22):
Hey, what's going on, man?

Bojan Simic (01:25):
Thanks for joining us. Today’s session is “10 Things I Hate About Cybersecurity.”
Chase, you and I have both developed reputations as cybersecurity curmudgeons. We tend to show visible frustration with how often our industry keeps stepping on the same rake over and over again.
Really excited to have this conversation with you — and highlight some of the exciting things you’re working on as well.

Dr. Chase Cunningham (02:09):
Yeah, the moment you said “10 things I hate about cyber,” I was 100% in. No hesitation.

Bojan Simic (02:15):
(laughs) Just ten?
We’ve got our list and we'll go through them one by one — taking turns airing our grievances in true Festivus style.

Dr. Chase Cunningham (02:41):
Air your grievances!

Bojan Simic (02:43):
Exactly.
For everyone listening live — if you have your own cybersecurity pet peeves, drop them in the chat. We’d love to talk about them too.
Chase, anything to add before we kick it off?

Dr. Chase Cunningham (03:10):
Somebody already joked, “Only ten?” Honestly, that's all we have time for. 

1. The Cybersecurity Industry Is Stuck on Repeat

Bojan Simic (03:16):
I’ve been in cybersecurity for about 15 years, and honestly, 90% of the conversations today are the same ones from 10 years ago.
I was at the FSI-Sec conference this week in New Orleans. Between eating beignets and fried seafood, I sat through sessions — and it was the same frustrations on repeat.
It feels like the mentality is: "I don’t need to be good, just faster than the next guy."

Dr. Chase Cunningham (04:09):
Exactly.
The industry has a serious victim mentality. People say, “The attackers only have to be right once.” That’s just wrong.
They have to be right constantly to stay successful.
And when you're relying on failed practices, of course bad things happen.
This is the only space in "warfare" where the bad guys tell us what they’ll do, document it publicly — and we still wonder whether to fix the problems. It's insane.

Bojan Simic (04:51):
Stephen just commented, "The only industry where failure is the expected outcome."
So true.

Dr. Chase Cunningham (04:58):
Yeah.
If you do your job right in cybersecurity, you prove a negative. Nothing bad happens — and nobody notices.
But if something bad happens once? Suddenly you're enemy number one.

Bojan Simic (05:24):
Exactly.
I talked to a CISO this week who said, "No matter how hard I try, cybersecurity is seen as pure overhead — until something goes wrong."

Dr. Chase Cunningham (05:49):
Honestly, if I were him, I'd take a month off and let them see what cybersecurity is worth the hard way.

2. The Zero Trust Buzzword Overload

Bojan Simic (05:57):
Zero Trust — my favorite buzzword.
At FSI-Sec, I noticed there was less Zero Trust hype this year. Instead, every booth pushed "non-human identity," "AI," and "agents."
It’s wild how companies spend $500K slapping the latest buzzword on their booths just to stay relevant.

Dr. Chase Cunningham (06:35):
Yeah.
If it's RSA, you’re paying $300,000 just to have a booth next to a bathroom in San Francisco. (Which is basically one big bathroom now anyway.)
Buzzwords aren't strategies.
Zero Trust is a strategy. If you don’t get that by now after a decade of government funding and countless whitepapers, you're deliberately ignoring reality.

Bojan Simic (07:05):
Exactly.
It’s amazing how executives define Zero Trust purely based on their backgrounds — networking, data, etc. They focus on what they already know and ignore everything else.

Dr. Chase Cunningham (07:36):
Yep.
And frameworks like CISA's are reference architectures. You’re supposed to refer to them, not follow them blindly.
It's not "thou shalt do exactly this."

Bojan Simic (08:02):
Right.
People find excuses to ignore a comprehensive strategy when they get overwhelmed.

Dr. Chase Cunningham (08:15):
Excuses are like opinions — everybody's got one.

3. Passwords Refuse to Die

Bojan Simic (08:19):
Passwords — will they ever die?
I’m on the board of the FIDO Alliance, whose mission is literally to eliminate passwords.
At every FIDO event, I ask: “How many of you are still using passwords at your company?”
Most people still raise their hands.
One of our clients said it took the CEO threatening paychecks to finally force full passwordless adoption.

Dr. Chase Cunningham (09:32):
Yeah.
And guess what? The most common password is still 12345678.
It’s insane.
Passwords suck, people suck at using passwords — yet somehow, here we are.

Bojan Simic (09:56):
The PCI requirements for 15+ character passwords are finally forcing change — but it took regulations to push people off the cliff.

Dr. Chase Cunningham (10:20):
It took 35 years for the government to mandate warning labels on cigarettes.
Cybersecurity change moves just as slow.

Bojan Simic (10:27):
Right?
Security teams are intimidated to drive real identity change.
We know 8 out of 10 breaches are tied to stolen credentials — every major report says it — yet people ignore it.

Dr. Chase Cunningham (11:24):
Or they chase the next shiny object: AI-powered whatever.

Bojan Simic (11:39):
Exactly.
I saw tons of "AI-powered SOC tools" this week — but if we eliminated passwords, 80% of those alerts wouldn’t even exist.

Dr. Chase Cunningham (11:58):
If you need AI just to reset passwords faster — you've missed the point.

4. The Negative-Only Cyber Press

Bojan Simic (12:03):
Another point — have you ever seen a positive cybersecurity news article?
It’s all negativity all the time.

Dr. Chase Cunningham (12:16):
Only maybe that kinda-crappy Netflix movie Zero Day. (laughs)

Bojan Simic (12:45):
Yeah — “What if Google and Apple deployed malware to everyone?”
Cheerful stuff.

Dr. Chase Cunningham (12:51):
They call them product updates now.

Bojan Simic (12:58):
True!
Look, media thrives on negativity. It desensitizes people.
That's why podcasts and more trusted spaces are taking over cybersecurity education.

Dr. Chase Cunningham (13:42):
Agreed.
Unfortunately, too many people still treat Gartner or Forrester as gospel instead of thinking for themselves.

Bojan Simic (14:01):
Exactly.
I now scroll to the bottom of any article to see if it’s “sponsored by” a vendor before even reading it.

Dr. Chase Cunningham (14:41):
They do "research" that conveniently validates their product. (laughs)

Bojan Simic (14:49):
And once someone’s fully committed to a tech they bought into, good luck changing their mind.

Dr. Chase Cunningham (15:20):
Yeah, everyone has their hill they're ready to die on.

5. Indecision in Cybersecurity

Bojan Simic (15:29):
This brings us to indecision.
I was talking to a CISO who said: "It doesn’t matter how great a technology is — if it doesn’t meet a compliance requirement, I probably won’t touch it for three years."

Dr. Chase Cunningham (16:02):
Makes total sense.
Because, obviously, no compliant organization has ever been breached... (laughs)

Bojan Simic (16:09):
Right?
He told me he’s so busy trying to stay afloat with compliance that even valuable innovations get sidelined.
This is why the average CISO tenure is like 18-22 months.
Another security executive I talked to said he’s 11 months into the job — and hasn’t implemented anything yet.

Dr. Chase Cunningham (16:52):
Are they hiring? I'd love a job where I don’t have to do anything but get paid! (laughs)

Bojan Simic (16:57):
He’s working 14-hour days — but still hasn’t delivered real change.

Dr. Chase Cunningham (17:01):
That’s brutal. You're working yourself into the ground — for nothing.
It’s like ice skating uphill.

Bojan Simic (17:13):
The company has had four CISOs in five years.
Part of the problem.

Dr. Chase Cunningham (17:16):
Man, that’s rough.
But hey, at least he’s getting paid well.

Bojan Simic (17:31):
Yeah.
Still, the indecision kills momentum.
When you ask teams, "What happens if you do nothing?" — most will say, "Probably nothing."

Dr. Chase Cunningham (17:53):
Exactly.
And if that's the case, why are we even talking?

Bojan Simic (17:56):
It’s frustrating.
Unless an urgent business driver or regulator forces action, most teams won't move.

6. Compliance-Driven Cybersecurity

Dr. Chase Cunningham (18:14):
That’s a systemic problem.
I work a lot with Capitol Hill — and we keep putting lawyers in charge of national cybersecurity.
They’re writing laws about things that aren’t even technically possible.

Bojan Simic (18:54):
Right?
Why are we putting people who don't understand cybersecurity in charge of setting cybersecurity standards?

Dr. Chase Cunningham (19:14):
Exactly.
Some companies are smart and split leadership — one exec handles compliance, another drives real security.
But unless they coordinate, it’s just two threads of failure running side by side.

7. Human Error is Unavoidable

Bojan Simic (19:32):
One of my personal favorites:
Human error.
I heard so many security leaders say, "We'll just do more training."

Dr. Chase Cunningham (20:00):
(groans)
Training alone is not effective as a control.
Yes, you should train people.
But training won’t stop phishing clicks, reused passwords, or basic human mistakes.
Humans are fallible. They will screw up. It’s inevitable.
You're basically wasting money on something with zero guaranteed return.

Bojan Simic (21:11):
Exactly.
As long as people can type in credentials or give them over the phone, social engineering will happen.
CrowdStrike just reported voice phishing attacks have increased 400% this year.

Dr. Chase Cunningham (21:31):
And with AI tools like ChatGPT, it’s never been easier for attackers to craft convincing phishing lures — in any language.

Bojan Simic (21:37):
Yeah.
A Japanese CISO told me he used to not worry about phishing — attackers didn’t speak Japanese.
Now, they all do.

Dr. Chase Cunningham (21:54):
Everyone’s got access to the same democratized tech now — attackers and defenders alike.

Bojan Simic (22:11):
Exactly.
And companies like Okta are perfect targets because they manage identity for so many others — especially smaller organizations with weaker defenses.

8. Indecision is a Decision

Dr. Chase Cunningham (22:49):
Dan in the comments made a great point: "Indecision is a decision."
If you decide not to act, you've still made a choice — and probably the wrong one.

Bojan Simic (22:58):
Yeah.
It’s painful.
A lot of people in leadership are terrified of making the wrong call — so they freeze.

Dr. Chase Cunningham (23:09):
That’s just bad leadership.
You have to empower your teams.
If a decision turns out wrong, fix it — but don't crucify people for taking action.

Bojan Simic (23:35):
Exactly.
In startups especially, you have to fail fast — make a decision, fail quickly if necessary, and learn.

Dr. Chase Cunningham (23:52):
Same with leadership.
You’re there to put out fires if they happen — not to micromanage every step.

9. Budget Constraints and Post-Breach Spending

Bojan Simic (24:13):
On to budgets.
With the market downturns lately, a lot of security executives are saying, "Our stock price is down, so we can’t fund security initiatives."

Dr. Chase Cunningham (24:24):
Yeah.
But somehow post-breach — the money magically appears.

Bojan Simic (24:39):
Exactly.
I keep meeting post-breach CISOs who inherit messes.
It’s not like their predecessors were incompetent — it's just that security only gets funding after a breach.

Dr. Chase Cunningham (25:49):
Yeah, they didn’t see the bus coming from the side.
But once you’re breached? Suddenly there’s unlimited budget — too little, too late.

Bojan Simic (26:17):
And then it takes two years to operationalize that new budget.
Meanwhile, the CISO probably won’t even last two years in the role.

Dr. Chase Cunningham (26:32):
Exactly.
You get hired twice during that cycle.

10. Good Enough is the Standard

Bojan Simic (26:34):
It amazes me how many companies are satisfied with “good enough” cybersecurity.
Very few aim to be great.

Dr. Chase Cunningham (26:53):
Right.
And without strong metrics, it's hard to prove you're actually improving.

Bojan Simic (27:02):
Most organizations are reactive, not proactive.
The only places I’ve seen proactive security are where people have real tenure and political capital inside the company.

Dr. Chase Cunningham (28:15):
If you have tenure, you can push initiatives forward. Otherwise, you're just surviving.

Bojan Simic (28:23):
Exactly.
Temporary solutions lead to redundant problems.
Layering point solutions year after year leaves organizations bloated and broken.

Dr. Chase Cunningham (28:51):
Yeah.
Organizations fight battles, not wars.
Cyber was declared a combat space back in 2010. It’s 2025 now.
You have to think long-term.

Bojan Simic (29:14):
Agreed.
And without real, meaningful metrics, it's impossible to show progress — or make a case for bigger moves.

Closing Thoughts

Bojan Simic (29:25):
Chase, I know you have a new book coming out tomorrow — tell us about it.

Dr. Chase Cunningham (29:39):
Yeah!
It’s the second in the Gabriel series — a thriller about cyber, AI, Navy SEALs, and national security.
The cool part is — everything in the book is technically possible.
It’s up for pre-order now, and all proceeds go to veterans' charities. So, I hope you enjoy it and support a good cause.

Bojan Simic (30:09):
That’s awesome, man. Love it.
Thanks everyone for joining us for today’s rant session.
We’ll be doing more of these — so keep an eye out for the next HYPR LinkedIn Live.
See you next month!

Dr. Chase Cunningham (30:28):
Thanks, y'all.