To most people, cyberattacks seem like high-tech heists pulled off by shadowy hackers. In reality, they’re rarely that dramatic, and often entirely preventable.
Danny Jenkins, CEO and co-founder of ThreatLocker, says most cyber incidents don’t come from sophisticated zero-day exploits. They usually start with something simpler: misconfigurations, excessive access, outdated software, and weak control over what’s running in the environment.
“Every attack we’ve tracked comes down to basic configuration,” Jenkins said in a recent conversation with The National CIO Review. “It’s about not doing the basics right and not knowing where the gaps are.”
He argues that the strongest move a CISO can make is to simplify and secure what’s already in place.
The Industry’s Complexity Problem
The security industry, Jenkins argues, has a vested interest in keeping things complicated.
“There are thousands of cybersecurity vendors out there, and many of them want to sell treatment, not prevention,” he said.
In that model, the incentive is to react to threats instead of removing their root causes.
Organizations stack detection tools, hire managed services, and add one dashboard after another, but the breaches keep coming. Jenkins says that the real issue is control.
The more tools a team adds, the more noise they have to sift through. And as visibility drops, accountability follows.
When Security Becomes Unmanageable
Enterprise IT teams are often flooded with alerts, each one urgent, few of them clear. In that noise, it’s easy to lose track of what’s actually running in your environment and what shouldn’t be there.
“You have to know what’s in your environment. What software is running, where it came from, who installed it, and you need to ask: should it be there?”
Danny Jenkins
The organizations that excel here take a disciplined approach to control. They apply least-privilege access, use allow-by-exception policies, and keep configuration practices consistent.
Rather than relying solely on outside intelligence to flag risks, they focus on reducing the internal blind spots that attackers exploit.
They’ve shifted their mindset from “How do we detect when something bad happens?” to “How do we prevent it from happening at all?”
Configuration as a Competitive Advantage
Jenkins notes that many enterprise breaches could be prevented by fixing a small set of well-known misconfigurations. There’s no silver bullet, he says, just consistent attention to basic security hygiene.
To build that discipline, some organizations use daily checklists that test hundreds of configuration conditions, flagging issues like lingering admin privileges, unpatched systems, or unnecessary software.
Others take it a step further, introducing scoring models that benchmark progress and spark friendly competition between departments. Jenkins has seen this approach motivate teams to continuously tighten their defenses.
True progress starts when teams can see clearly and act with control.
Culture Drives Security More Than Spend
Across the most secure organizations Jenkins works with, one pattern stands out: success starts with culture.
“The most successful companies focus more on what they don’t know than what they do.”
Danny Jenkins
These organizations value transparency over ego. They never assume their systems are airtight; they test, refine, and adapt constantly.
Jenkins stresses that real security grows out of vigilance.
That vigilance also takes courage. One of Jenkins’ strongest points touched on the human side of cybersecurity: the willingness to speak up.
“I don’t know a single CEO who’s going to ignore their CISO,” he said. “But I think there are more CISOs who are afraid to ask the hard questions.”
The Wrap
Cybersecurity has become a maze of frameworks, buzzwords, and dashboards. But when you strip it all back, most breaches come down to something simple: a missed patch, an open port, or a user with too much access.
These are avoidable failures.
Before chasing the next shiny thing, get a firm grip on what you can control. Know your environment. Lock it down. Keep an eye on it.
Security holds up when discipline becomes routine, doing the right things every time.
