Cyber Security

Published 2026-04-08

Whatever You Know Now That Isn't Wrong, Will Be Tomorrow

Published 2026-04-08 | Originally published ~2010, updated for 2026

Security

The Third Law of Guerilla Security

The one constant in information security is change. The software you patched last week has a new vulnerability this week. The encryption algorithm that was strong enough last year is on a deprecation timeline this year. The compliance framework you implemented in January has new requirements by December. The threat actor who targeted your industry last quarter has new tools this quarter.

Constant change demands constant validation. An annual risk assessment is a snapshot of a moving target — useful, but stale the day after it's completed. If your security program operates on the assumption that what was true twelve months ago is still true today, you are operating on assumptions that are almost certainly wrong.

Five Areas Where What You Know Is Already Wrong

1. Software

Every new feature is a new attack surface. Every update fixes old vulnerabilities and occasionally introduces new ones. The supply chain attacks of recent years (SolarWinds, MOVEit, 3CX, the XZ Utils backdoor) demonstrated that the software you trust can become the vector — not through negligence, but through deliberate compromise of the development pipeline itself.

What was safe to install yesterday may not be safe today. Your software inventory needs continuous monitoring, not annual review.

2. Customer and User Expectations

Users demand more access over time, not less. Remote work, BYOD, cloud collaboration, AI tools — each new capability your organization adopts expands the trust boundaries that threat actors can exploit. The balance between usability and security is perpetually shifting, and if you don't shift with it, your users will find workarounds that are worse than anything you were trying to prevent.

3. Encryption and Authentication

56-bit encryption was once "strong enough." Then 128-bit was the standard. Now we're planning the transition to post-quantum algorithms because the cryptographic assumptions underlying RSA and elliptic curve may not survive the next decade. Passwords that met complexity requirements five years ago are crackable in hours today. MFA methods that were considered strong (SMS OTP) are now known to be vulnerable to SIM swapping and real-time phishing proxies.

Your authentication and encryption posture needs periodic reassessment against current — not historical — threat capabilities.

4. "Best Practices"

There is no such thing as a "best practice" in information security. Best implies a practice that is categorically better than every alternative — and that almost never holds in a rapidly changing technology environment with dozens of distinct risk profiles, regulatory regimes, and organizational constraints. What is best for a 50-bed rural hospital is not what is best for a $2B commercial bank. What was best for either of them last year may not be best this year.

A more honest taxonomy:

  • Preferred practices — the things most organizations should do most of the time, given typical assumptions about threat model and resources. Encrypting passwords at rest is a preferred practice.
  • Acceptable practices — what is reasonable in a specific risk environment, even when it diverges from the preferred case. A consultant storing API tokens in a plaintext file on a workstation that is insulated from the internet, accessible to a small handful of trusted operators, may be acceptable practice — not because it is good, but because the marginal risk is small relative to the operational cost of a fuller solution.
  • Baseline (or starting) practices — the floor below which a program cannot reasonably go without justification. Encrypt-at-rest on portable devices is a baseline practice; the overhead is so low and the loss-or-theft scenario so concrete that the calculation is almost always favorable.

What none of these are is best. Even the easy cases come with caveats. A CISO who prohibits written passwords while simultaneously enforcing complexity rules, no-reuse policies, frequent rotation, and account lockouts is putting two controls in opposition to one another. Friction and workarounds are the result. Users will write down their passwords because the cost of being locked out of the system exceeds the cost of writing the password on a sticky note. This is not a moral failing in the user; it is the mechanical outcome of layered controls whose costs were never measured against each other. The right practice is the one calibrated to the environment, and that calibration must be continuous.

Frameworks (NIST CSF, ISO 27001, HIPAA, FFIEC) provide structure, not answers. They tell you what to think about, not what to do. The organization that implements a framework as a checklist and declares itself "compliant" has confused the map for the territory.

5. Threats

In 2002, the primary threats were script kiddies exploiting known vulnerabilities and early worms propagating through unpatched systems. In 2012, it was organized crime and nation-state actors conducting targeted intrusions. In 2026, it's ransomware-as-a-service operators using AI to generate unique phishing content, supply chain compromises embedded in trusted software, and ciphertext harvesting for future quantum decryption.

The attackers have the initiative. They choose when, where, and how to attack. Your defense must adapt at least as fast as their offense — and the only way to do that is continuous validation, not annual assessment.

What Constant Change Demands

  • Continuous risk assessment. Not annual. STORM quantitative risk measurement is designed for this — frequent, lightweight cycles that track risk over time rather than producing a single point-in-time report.
  • Iterative improvement. RAPID delivers security program improvements in short cycles rather than multi-year transformation projects. By the time a three-year project delivers, the threat landscape has moved.
  • Control validation. Test your controls regularly. A firewall rule that was correct when written may be irrelevant or counterproductive after a network change. An access control list that was appropriate last quarter may need updating after a reorganization.
  • Threat intelligence. Know what's happening in your industry. The threats targeting healthcare are different from those targeting financial services. The threats targeting your specific technology stack are different from generic advisories.
  • Willingness to change. The hardest part isn't knowing what to change — it's being willing to change it. Organizations resist change because change introduces risk. But in security, standing still introduces more risk than moving.

Whatever you know now that isn't wrong, will be tomorrow. The organizations that thrive are the ones that accept this and build programs designed to adapt rather than endure.

Schedule a consultation → | +1 863 SECURE1 (+1 863 732-8731)