Cybersecurity needs more prevention and less reliance on cure

Wait 5 sec.

Ask any medical doctor, and they’ll tell you that prevention is better than cure. It’s more cost-effective and it has better outcomes.The same is true in cybersecurity. But we believe that our industry has veered too far away from this simple concept. We observe that most new tools are detection-focused, and we are calling for cyber innovators and venture capital to re-emphasize and invest resources into blocking rather than just discovering problems.The reasons that cybersecurity relies on detection are understandable, and they are based on the history of networked systems. Early systems were fragile. Recovery was slow and downtime was costly. So, the first security controls were designed to restrict unauthorized access. They blocked execution and prevented exploitation, because if an attack succeed – such as a computer virus running successfully – the consequences might have been irreversible.When the internet exploded in the 1990s, prevention solutions multiplied. Vendors developed firewalls and antivirus platforms to stop threats before they started.But attackers adapted, of course, and networks grew more complex. Perimeter controls were no longer good enough on their own. The cyber industry responded with intrusion detection systems and later with Security Information and Event Management. Detection got a boost from large-scale log aggregation and analytics.This was a great complement to prevention. But it was never meant to replace it.Detection didn’t reduce riskSecurity today focuses on visibility, alerting and response. Executives use metrics like mean-time-to-detect and mean-time-to-respond, and compromise is often assumed to be inevitable. But as detection improves, this has not caused a proportional decline in compromise rates.IBM’s Cost of a Data Breach Report consistently shows that faster identification and containment reduce financial impact. But the average global cost of a breach is still millions of dollars – because detection does not prevent the initial compromise.The initial problem continues to come from the usual places: known vulnerabilities, stolen credentials or misconfigurations. In other words, detection reduces impact in the short term, but it does not reduce structural risk.The limits of a detection-first modelWhen we gather for industry forums like the RSAC Conference, the topics include automation, AI-driven response and operational resilience. These are certainly important, but they have limits. Detection produces false positives and noise. The volume of alerts begins to outpace human capacity to sift through it for the genuine issues. Alert fatigue is real, and talent shortages continue.We observe that the ratio of detection tools versus prevention tools is getting bigger. RSAC Conference runs the largest startup competition in cybersecurity. Over the past three years more than 500 new cybersecurity companies have entered the competition, and we estimate that more than 70 percent of these companies are shipping detection tools, not prevention tools.Detection activates only after a failure has occurred, and unfortunately modern adversaries now operate at machine speed. Vulnerabilities are attacked through automation, and artificial intelligence generates phishing campaigns at a massive scale.As AI lowers barriers to entry and speeds up capabilities, the attack surface will expand even more. Advances in some of the frontier AI models, such as Anthropic’ s Mythos and OpenAI’s GPT-5.5, may unearth previously unknown zero-day risks while chaining together various low-risk vulnerabilities.If that’s not enough, quantum computing raises concerns about cryptographic resilience. Relying primarily on faster alerting is not the best response to all these threats that will simply multiply faster.Prevention changes the economicsOn the other hand, prevention changes defensive economics. To shrink the problem space, a professional can do these things: enable phish-resistant multifactor authentication (MFA), block malicious execution, segment networks and proactively manage vulnerabilities.As exposure decreases, alert volume declines. Detection becomes more effective because noise is reduced.Research shows that organizations have fewer high-impact breaches when they have mature identity governance, proactive patching and zero trust principles. Preventative maturity correlates with reduced incident severity and lower long-term costs. It doesn’t require perfection to be valuable.We think that security leaders, therefore, should reconsider how to define success. Reducing dwell time – the time an attacker is inside your systems – is important. Reducing entry points is fundamental. But when budgets favor post-compromise visibility over preventive architecture and governance, cybersecurity is not fulfilling its original mandate.AI will only amplify the imbalance, as capabilities that once required years of training can now be deployed quickly. Offensive toolkits are readily available.Achieving a better balanceWe believe that scalable prevention architectures and capabilities present a better path forward than expanding analyst headcount.Cyber threats will accelerate and detection will remain essential. But our profession shouldn’t be defined by how efficiently we observe compromise. It should be defined by how effectively we reduce the likelihood of compromise in the first place.This article is published as part of the Foundry Expert Contributor Network.Want to join?