Is complexity holding the cybersecurity industry back?

Source Domain: www.digit.fyi

For many organisations, cybersecurity no longer feels like a source of protection. It feels like a wall of jargon, frameworks, and conflicting advice that’s difficult to question and even harder to act on.

According to experienced Chief Information Security Officer Amy Lemberger, who is the founder of The CISO Hub, this isn’t a failure of businesses, it’s a failure of the security industry itself.

Cybersecurity, she argues, has become over-engineered and performative. In trying to prove its sophistication, the industry has made itself inaccessible to the very people who are expected to make decisions.

“The industry has massively overcomplicated security,” Lemberger says. “We’ve turned something that should support decision-making into something people feel excluded from.”

She points to a growing gap between compliance and actual protection. Frameworks, certifications, and audits are often treated as proof of security, when in reality they are only indicators of process.

“Compliance and security are not the same thing,” she says. “But they’re constantly conflated. You can be compliant and still exposed in all the ways that matter.”

This confusion leaves many business leaders feeling stuck. They know something isn’t right, but they don’t know how to challenge what they’re being told. Over time, that uncertainty turns into silence.

“I regularly speak to senior leaders who tell me they feel too stupid to ask the right questions,” Lemberger says. “That’s not their failure. That’s ours as an industry.”

Instead of clarity, businesses are often met with dense language, vendor-driven narratives, and technical detail that obscures rather than informs. Security discussions become abstract, detached from real priorities like growth, delivery, and resilience.

The result is a strange contradiction. Organisations invest heavily in security yet remain unsure about what they are…

Source