You may remember one of the Beatles’ first hits, ‘Can’t buy me love’. There are many reasons why the song lives on. One of them that there is – even these days – a lot if stuff you cannot buy. Like my mother in law observed about her situation at a care facility recently: I need hearts more than hands – and they cannot be bought.

My main topic is security, not healthcare, but it’s interesting how entirely different domains overlap in many ways. Like the never ending problem of funding. It seems that however much money is poured into (or onto) the challenge – in security, healthcare, education, you name it, there is little or no improvement.

Thus I’m sure you’ll recognize this question: ‘Haven’t we spent enough on security?’ – just replace ‘security’ with something in your line of business.

For now, let’s stick with security, and here’s the thing: A quick look at reality and the answer is a resounding NO. We have obviously not spent enough. Or – and here’s the point: Maybe money isn’t the problem. What if our ‘pouring money at the problem’ is useless, possibly even exacerbating it instead of solving anything?

In cyber-security, that’s quite frequently the case. We’re pretending that products and mechanisms can create security, defences, protection. It doesn’t work. Because good security isn’t a product or a service, it’s a culture. Most people I talk to, admit that they know that. Still it’s being ignored when plans are made and budgets decided. Culture is this elusive or intangible thing that cannot be put into spreadsheets or graphs, so it’s being avoided, ignored. That’s why all this spending deliver so little.

Products and services are required but if the culture is lacking, the security will never be good and certainly not good enough. Let me put it in a different way: Products and services do not deliver security or protection, they are supporting your security culture. A very important distinction because it makes the headline obvious: You cannot buy security.

‘What else is new?’ I suspected you’d say that, and it’s true. We’ve known this for years. Training, books, classes, seminars, speeches, reports and much more since forever. And again, it applies to any type of security (and countless other disciplines) – as vividly evidenced by the Russian military forces, where the culture in many cases seems not lacking but absent. Not that they have good services or products, but if they did it wouldn’t help. It starts and ends with the culture, the people, the attitude. Hearts and minds.

Back to the technical realm, security has been part of my professional life for more than 30 years. Which means I’ve seen it all – since the infamous Morris Worm turned the Internet and the open world it created, on its head and mandated not only closed doors and locked windows, but a new attitude. The Internet wasn’t an innocent, creative, friendly, open village any more, it was a mirror of the (real) world.

Fast forward to today, the Internet and the virtual (digital) realities it enables are mirrors of an unfriendly world creaking at the seams in many ways. Both the real and virtual worlds depend on a functional, sound culture to function, to survive. Now, that sounds like a mouthful – more like political gobbledygook, and certainly something someone else must fix. It’s not. Culture is you and me. Culture is programming – determining how we react, what we like, how we behave, what we believe in and much more. Culture is something we learn, and much of that learning is automatic – programming by observing, which is what we do from the day we’re born. Which means – unsurprisingly – that kids growing up under certain circumstances have security ingrained in their reflexes. Most of us don’t, but we can learn – and we have to learn in order to participate in our own future. It starts with you and me understanding our own roles and acting them.

But that’s what we’re doing already, isn’t it? No, and here’s goal for the upcoming year: Think, learn, participate. Visualize this huge flock of birds creating fantastic waves of movement in the sky. Impressive, fascinating, isn’t it? That’s us – when we have functioning culture – whether at work, at home, in the neighbourhood, in the family. The constantly changing wave of birds – or fish for that matter – is enabled by everyone knowing their role and acting it predictably, with respect for the others and the whole, the entity. Just like every bone in your foot cooperates smoothly when you’re walking or running.

Actually, this is how people in small, even large societies used to function before we got wealthy and lazy. If you didn’t like the sound of that, you’re in good company. I don’t like it either, but it’s the truth. And we can do something about it. Money can buy us tools, but not results. Real security, safety, defence, hearts, friends and so on. It has been observed millions of times before. It starts with understanding, not funding. Culture is who we are, not something we buy.

Remember the flock of birds, that’s us. They culture makes it possible. We can do that. We can ‘program ourselves’ to respond correctly to threats. Even concealed ones. Like ‘I need your password to do that’. ‘Your social security number is required.’ ‘Enter your PIN code.’ And automatic ‘why’ pops up in the front of your head. In a split second you’ve determined whether that makes sense or not. You’ve left zombie state and become activated. Does that sound good? It’s better than that, it’s great.

How’s that for a goal for 2023?