Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

There is a kind of strategic failure that produces no visible signal until it is too late. It looks like progress. It reports well. It generates clean audit findings and improving metrics. And it leaves the organisation materially no safer than when the investment began.

This is not the failure of neglect. Neglect is obvious and correctable. This is the failure of continuous, well-funded effort directed at only half of the problem. Most security programmes are doing the necessary work. Very few are doing sufficient work. The difference between the two is rarely visible in how investment is presented to boards, and almost never made explicit in how risk position is reported to them. The World Economic Forum, whose 2021 Principles for Board Governance of Cyber Risk has become a benchmark for how organisations think about executive accountability, explicitly frames cyber security as a matter of enterprise risk management rather than technical compliance.¹ That framing is right. The problem is that it has not resolved a deeper confusion about what risk, exactly, is being governed.

Cyber risk is not a stable variable. It moves continuously, driven by forces that rarely hold steady simultaneously: adversaries who adapt and scale what works; controls that erode as exceptions accumulate and architecture grows more tangled; and businesses whose own risk profiles shift as they restructure, concentrate value, and deepen dependencies. Even a programme performing well against its own measures can be losing ground to this dynamic. A posture appropriate last year is, by default, slightly less adequate this year. The environment moves. Risk drifts upward. Standing still is not available as a strategic option.

Biologists have a name for this. Leigh Van Valen, writing in 1973, described what became known as the Red Queen hypothesis: the observation that species must keep evolving simply to maintain their relative fitness against co-evolving competitors and parasites.² The name comes from Lewis Carroll’s Through the Looking-Glass, where the Red Queen tells Alice that it takes all the running you can do just to keep in the same place. Van Valen was describing evolutionary arms races, but the logic applies with uncomfortable precision to adversarial environments. Defenders and attackers co-evolve. The effort required to hold a given position grows continuously, because the threat is not static. A security programme that runs at a constant pace in a Red Queen environment fails to hold its position. It is losing ground at the rate the threat is advancing.

This is not a metaphor. It’s a description of observed behaviour. Threat capability has been compressing the average interval between technique development and widespread adversarial adoption for at least a decade. The move from exploit development to commodity tooling, the industrialisation of ransomware as a service, and the acceleration of vulnerability weaponisation, each of these shortens the window in which defenders can respond before a technique becomes standard practice. An organisation investing the same in risk management this year as last is almost certainly losing ground, not holding it. Yet investment proposals rarely account for this. The implicit assumption underpinning most security programme governance, that current effort, properly maintained, will produce stable outcomes over time, is one the evidence does not support.

The core problem, though, lies beneath the arms race dynamic. Governance frameworks rarely distinguish between two categorically different kinds of work.

The first is risk management: the continuous activity required to maintain a position against a moving system. Vulnerability remediation, detection tuning, review of findings, and control maintenance. Necessary and non-negotiable, but conservative in its effect. It holds the line. The second is risk reduction: interventions that change the system itself. Removing an attack path rather than managing around it. Redesigning to reduce blast radius. Breaking a critical dependency before it becomes a point of failure. Designing out a class of vulnerability rather than continuously processing its instances. This is structural change. It alters the terms of the adversary’s problem, not merely the speed of the defender’s response.

These two kinds of work are not simply different in degree. They are different in kind. The boundary between them is not always crisp, some risk management activity, pursued with sustained intent and the right organisational authority, does produce structural change over time. But the distinction matters because these two categories carry different strategic weight, warrant different investment logic, and tell different stories about actual trajectories. An organisation that separates them has a coherent basis for allocating capital. One that does not is likely funding risk management at scale while understating how little structural ground it is actually gaining.

It is also worth noting that structural improvement is not a permanent condition. Architectural change accumulates its own exceptions and complexity over time. A consolidation that genuinely reduces attack surface in year one can generate new dependencies and coverage gaps by year three. A simplification that removes one class of failure can create another form of concentration. Risk reduction is better understood as a time-bound intervention than a durable achievement. This is one reason governance frameworks need to track structural posture as a live indicator rather than as a completed item on a programme list. The WEF principles and the subsequent NACD partner report that elaborated them both emphasise the importance of the board understanding the organisation’s cyber posture in terms of business risk impact.³ That understanding is not possible without a framework that can distinguish between these two categories of work.

Why does the confusion persist? The answer is partly a measurement failure and partly an incentive problem, and the two reinforce each other in ways worth examining.

Activity is visible and auditable; progress is an inference from it. Boards can track programmes, count closures, and review dashboards. The alternative interpretation, that the programme is running to stand still, is uncomfortable and hard to surface through standard governance mechanisms. But the incentive problem runs deeper. The full ecosystem of board, executive, security leadership, and vendor rewards delivery: clear milestones, improving metrics, programmes that are well-governed and on schedule. It does not reward the harder and more disruptive work of removing dependency, simplifying architecture, or absorbing near-term operational pain for long-term structural improvement.

This is not a failure of competence. It is a rational response to how performance is measured and rewarded. Hans Jonas, whose moral philosophy of technology remains one of the more demanding frameworks for contemplating responsibility under uncertainty, argued that the scale and complexity of modern technological systems creates an obligation to attend to long-range consequences that are inherently difficult to perceive in the immediate term. His concept of the “imperative of responsibility” is directed at actors whose decisions shape systems in ways that outlast their tenure. The board member approving a security programme measured entirely by near-term delivery metrics is doing exactly what Jonas warned against: optimising for what is visible and tractable while discounting what is diffuse and structural. This is not malice. It is the predictable result of governance frameworks calibrated to motion rather than to direction.

Vendors operate within the same logic. Structural change that reduces the need for ongoing intervention is, in purely commercial terms, less attractive than managed, recurring activity. Capital flows toward what can be shown, and what can be shown is motion. The security industry’s business model has a structural preference for risk management over risk reduction, because the former creates durable revenue streams and the latter threatens them.

This produces a pattern that is consistently visible in incident post-mortems. Organisations that have lived through a serious breach frequently saw their programme metrics improving beforehand. Backlogs were shrinking. Detection had been uplifted. Governance was functioning. The post-mortem accounts of major incidents, whether the sustained intrusions at organisations with mature security programmes or the ransomware events that have paralysed health systems and infrastructure operators with security investments, reveal the same structural signature: well-managed programmes that nonetheless failed to address the architectural conditions that made catastrophic impact possible.⁴ The metrics were not lying, exactly. They were measuring the wrong thing: how well the organisation was managing its position, not how well that position would hold under real adversarial pressure.

One question makes the situation legible. For any material security investment, does this reduce risk, or does it stop risk from getting worse? Both categories of work are necessary. But they carry different strategic weight, speak differently to a board’s risk appetite, and require different governance. Blurring them produces a narrative calibrated to motion rather than to direction. It also produces portfolios heavily weighted toward running, and lightly weighted toward changing the terrain.

The UK government’s 2025 mapping of its cyber governance code to the WEF principles is instructive here.⁵ The mapping is careful and technically competent. But it reproduces the same gap: it tells organisations how to govern what they are already doing rather than how to interrogate whether what they are doing is sufficient against the threat they actually face. Governance sophistication is not the same as strategic clarity about the nature of the problem being governed.

The required move is not to stop managing risk. That is the floor, not the ambition. The discipline of being explicit in investment decisions and programme reporting changes how organisations understand which kind of work is being funded. How much holds the line? How much actually shifts exposure? Where are structural bets placed consciously, and where is effort being absorbed into programme delivery and labelled as progress?

A board that cannot answer these questions does not have a clear picture of its risk position. It has a picture of its programme performance, which is different and considerably less useful. A security function that cannot articulate the distinction lacks the ability to make the case for structural investment, because it has no language that separates the work that changes the game from the work that merely keeps it going.

Running hard is not the same as moving forward. The Red Queen dynamic means that standing still requires effort, but effort does not guarantee standing still. Most organisations are not failing because of neglect. They are working, spending, and delivering against a system that is advancing at roughly the same pace. The question governance rarely forces is whether all that effort is actually changing anything, or merely sustaining a position that everyone has agreed, for understandable reasons, to describe as progress. Boards that cannot distinguish between these two things are not governing cyber risk. They are governing the appearance of it.

Notes

1. World Economic Forum, Principles for Board Governance of Cyber Risk (Geneva: WEF, 2021). See also Chris Krebs et al., “Principles for Board Governance of Cyber Risk,” Harvard Law School Forum on Corporate Governance, 9 June 2021

2. Leigh Van Valen, “A New Evolutionary Law,” Evolutionary Theory 1 (1973): 1-30. For an accessible account of the Red Queen hypothesis and its extension beyond biology, see Wikipedia, “Red Queen hypothesis,” accessed 2026.

3. National Association of Corporate Directors (NACD), Principles for Board Governance of Cyber Risk (NACD/WEF partner research report, 2023). The report elaborates the WEF principles with particular attention to how boards should receive and interrogate risk reporting from management.

4. Hans Jonas, The Imperative of Responsibility: In Search of an Ethics for the Technological Age (Chicago: University of Chicago Press, 1984). Jonas’s central argument, that technological power creates an obligation to anticipate and prevent harm at scales and timescales previously beyond individual moral consideration, is summarised in the secondary literature; see “Hans Jonas: Ethics, Technology, and the Responsibility of the Future,” Philosophy World Democracy (2025), and the Philosophia overview of Jonas’s framework (2017).

5. UK Government, “Mapping cyber governance code to WEF Principles for Board Governance of Cyber Risk” (2025). The document is a useful reference for organisations seeking to align their governance frameworks to the WEF principles, but it addresses procedural alignment rather than the substantive question of whether the underlying investment logic is adequate.