Reactive cybersecurity programs are destined for a fate similar to the story of the boiling frog, one that doesn’t know it’s in trouble until it’s too late. Proactive and predictive approaches to cybersecurity are a must because they act as early warning systems that alert organizations before disaster strikes.
A few days ago, while reading about linguistics, I stumbled upon the story of the "boiled frog." Imagine a frog sitting in a pot of cold water that is slowly heated. At first, the frog thinks, "Ah, what a relaxing bath!" But as the water grows hotter and hotter, the frog realizes—too late—that it is in danger. This story serves as a perfect metaphor for how many organizations approach cybersecurity: they fail to notice the rising threats until it’s too late.
In the cyber world, many organizations behave like the boiled frog. They wait for a cyberattack to occur before reacting, adopting a reactive approach that can lead to disastrous outcomes. This behavior often stems from a culture that does not prioritize prevention as a core strategy. Costs and damages escalate exponentially when action is delayed.
As a cybersecurity consultant, I frequently encounter this reactive culture across organizations, regardless of the age or experience of executive managers. This "anti-method" prevents the daily adoption of critical thinking, reflective reasoning, and a culture of doubt—tools that should serve as a compass for identifying operational flaws. Too often, this essential ingredient is missing in corporate cultures. It manifests in reactive behaviors rooted in overconfidence, lack of expertise, insufficient preparation, and an absence of holistic vision.
Let’s take an example from the healthcare sector. Imagine a hospital with a reactive approach to cybersecurity. System administrators only intervene when problems or attacks occur, operating for years without systematic audits or updated procedures and policies. Risk analysis is seen as an unnecessary cost and performed only every three years. Critical vulnerabilities are ignored, and risk assessments are not integrated into daily operations.
One day, ransomware spreads through the hospital's network via an outdated medical device connected to poorly configured VLANs on obsolete switches—a result of negligence. Within moments, the attack causes significant disruption to healthcare services: doctors cannot access patient data to prescribe treatments or perform surgeries. The lack of access delays treatments, leads to medical errors, and endangers patient health. The hospital is forced to hire an expert team to resolve the issue, potentially pay the ransom (though this is never advisable), and manage legal and communication costs to notify patients and restore security.
The result? The frog is boiled—and served.
One key issue among executive managers is their misplaced confidence in controlling complex systems. This mindset contradicts the incremental approach required by cybersecurity—a culture of "cyber by design" that incorporates doubt and critical thinking into everyday operations. A manager who believes they have absolute control over dynamic systems introduces reckless practices that endanger both people and processes.
Simplifying complexity is often a sign of someone unwilling to understand it fully. In dynamic systems like organizations—where variables multiply daily and are constantly influenced by human factors—this false sense of control becomes self-deception. As Robert Trivers explains in ”Elements of a Scientific Theory of Self-Deception,” humans deceive themselves because they believe it increases their chances of survival. But this self-deception condemns organizations to the fate of the boiled frog: facing crises that are more complex and harder to resolve.
If only the frog had questioned why the temperature was rising! If it had analyzed its environment critically, it might not have met its unfortunate end.
In my experience, many managers believe they have control over digital systems—despite the inherent unpredictability of protocols not designed with security in mind. This belief concerns me deeply. The first challenge in dismantling this reactive culture lies in overcoming resistance from operational structures entrenched in outdated practices.
I often encounter consultants and managers convinced they are "in control," resistant to change-management initiatives. I already know they’re "boiled frogs," unaware that the temperature has already risen. Even a script kiddie—not an advanced attacker but someone capable of basic SYN flood attacks—can exploit such cultures effortlessly.
Persistent attackers thrive when they encounter these reactive environments. During reconnaissance phases or assessments, attackers can easily deduce managerial culture and exploit it systematically: raising the temperature bit by bit while studying their target until it’s too late for anyone to react.
Is there hope for boiled frogs? Yes! Proactive and predictive approaches—like threat hunting or security by design—act as early warning systems that alert organizations before disaster strikes. Identifying and mitigating vulnerabilities before they escalate is key to avoiding third-degree burns.
To achieve this, organizations need a cyber-aware culture focused on prevention. This involves engaging all levels of the organization and leveraging advanced tools for continuous threat monitoring—a direction strongly advocated by directives like NIS-2.
Don’t let negligence boil your organization! Act promptly to prevent future crises and keep your organization safe in an increasingly hostile cyber world.
But how can this be achieved? Organizations are made up of people who rely on external vendors to achieve business objectives. People are naturally resistant to change and tend to adapt passively to negative situations until it’s too late. Companies that embed systematic risk analysis into their operations provide not only secure services but also peace of mind for their stakeholders—patients and their families included.
Francesco Terlizzi is professor of cybersecurity at the Marconi University in Italy, and also leads the university's Cybersecurity Lab for CTA (Cyber Threats Analysis). He is also CEO of system integrator, ACRM Net.
