Can Cybersecurity Ever Be Solved? A Practical Look at a More Secure Future
This article expands on ideas originally published by OnDefend’s CTO & Co-Founder, Ben Finke in the Forbes Tech Council, exploring whether cybersecurity can ever truly be “solved” and what meaningful progress actually looks like in practice.
I am a firm believer that we can clean up a lot of our technological problems, most of which we’ve caused ourselves. But the real question remains: can we actually solve cybersecurity?
We can take a historian’s view and imagine how the security arc might close in a hypothetical future to better understand how we should approach this problem today.
Passwords and the Limits of Identity-Based Security
Let’s start with passwords. It turns out passwords aren’t a great security measure because people generally use (and reuse) passwords that are easy to guess. Making this problem worse, many of the apps we use do a poor job of keeping these passwords secure. Once credentials are leaked as part of a breach on one site, attackers begin trying it on others.
If we’re going to make any meaningful progress, we’re going to have to fix this.
Actually, there is already really good progress on this front. We’ve figured out how to get rid of passwords as the main method of proving that people are who they say they are, by using hardware-backed tokens such as FIDO keys, multifactor authentication, and federated authentication systems like OpenID Connect.
In the future, these technologies will become the standard, and the days of passwords created and managed by end users will largely come to an end.
Software Vulnerabilities and Secure Development
Another major contributor to today’s security challenges is the staggering volume of vulnerabilities in the software we use. Many of these flaws allow attackers to gain full system access or compromise sensitive data.
So, how can we make it so that these software products are not as easily exploitable? One important improvement is the adoption of memory-safe programming languages, such as Rust or Go, eliminating entire classes of software vulnerabilities.
We also need robust security controls embedded directly into the software development process. These controls should identify flaws early and provide actionable feedback to the developers while they are writing code. Better governance of third-party components, whether open source or commercial, will reduce “inherited” risk from widely used libraries and dependencies, such as what we saw with Log4J.
Observability, Detection, and Security Blind Spots
Another fundamental challenge is observability. Do organizations have the ability to identify “malicious” or “unauthorized” activity within their systems?
Too often, logging is configured to only show errors or critical failures. Even when verbose logging mode is available, the data is frequently incomplete or lacks the context needed to understand what’s happening. Many organizations don’t treat observability as a core requirement when selecting or deploying software or consider it “production ready.”
Ask what a “normal user session” looks like from the logs, and you get blank stares. Without this ability to establish a baseline of normal behavior, we have a really tough time telling abnormal.
In a more secure future, if a digital tree falls in a cyber forest, we’d be able to hear it. Future systems will provide useful, detailed logs by default, making it easier to understand normal operations and detect anomolies.
Modern security analytic tools, far more advanced than early SIEMs, can already consume this data in real time and apply hundreds of different AI-driven digital analysts to hunt for malicious behavior and respond when unusual activity is detected. This is how organizations uncover security control blind spots before attackers exploit them.
Email as the Most Common Initial Access Vector
If attackers can’t guess your password or exploit internet-facing systems, they’ll resort to the most common initial access vector: email.
It is hard to distinguish these targeted phishing attacks from legitimate emails for a variety of reasons. Whether attackers send a malicious link or an attachment designed to deliver malware, or trick you into disclosing your password, the goal is the same. Bypass the security controls and convince someone to take action.
In a more secure future, email would operate within strict security guardrails. Unsolicited messages wouldn’t even reach users at all. Very little traffic would flow directly via standard SMTP email channels, most of coming through a specific app (like for your bank) and would be verified before showing up in your “inbox.” Today, the inbox is the quickest path to success, as we see over and over again that phishing emails are the source of many breaches.
And what about those attachments that contain the first stage of the attacker’s malware? In this future scenario, systems would only allow software installation from trusted app stores, with apps running in isolated environments, kind of like iOS and Chromebook devices today. Arbitrary downloads and execution from the internet would no longer be possible.
What Does It Really Mean to Solve Cybersecurity?
In practice, solving cybersecurity would require eliminating exploitable vulnerabilities, preventing unauthorized access, and removing the human and technical conditions attackers rely on. Today, security focuses on reducing risk, improving detection, and limiting impact rather than achieving absolute prevention.
Can Cybersecurity Be Solved?
Here’s the million-dollar question. Even if we make enormous strides by implementing all the above, technically speaking, in the security space, sadly, the answer is no.
There will always be scams. People will still fall for fraudulent requests for money, grant access to people who aren’t authorized, and misconfigure apps and systems for convenience, not security. After all, humans ignore plenty of red flags in other parts of their lives; why should this be any different?
Our best shot at solving security is to account for the human element as much as possible. In addition to employee training, we need to build systems where secure behavior is the default, attackers have fewer opportunities to impersonate legitimate parties, and protecting accounts and data is simpler and more intuitive.
I’m certain we will continue building better technical solutions, but that won’t be enough to solve our cybersecurity problem. Small improvements, applied consistently, can make a meaningful difference. Many vulnerabilities exist in systems we assume are secure simply because they are internet-facing. It is difficult to build a secure system when the components used to construct it contain hidden weaknesses.
How Organizations Validate Security in the Real World
The ideas explored in this article highlight a core reality: cybersecurity cannot be solved through prevention alone. Organizations must continuously validate whether security controls, software, and systems behave as expected under real-world conditions.
OnDefend provides Advanced Testing Services designed to uncover hidden attack paths, control failures, and systemic weaknesses that traditional assessments often miss.
These services include:
- Continuous Software Testing: Validating the software supply chain, including dependencies, integrations, and runtime behavior, to identify hidden backdoors, tampering, and inherited vulnerabilities.
- Continuous Network and Cloud Testing: Simulating real adversaries across on-premise, hybrid, and cloud environments to expose misconfigurations, lateral movement paths, and control failures.
- Hardware and IoT Testing: Verifying device integrity and firmware authenticity throughout the lifecycle to uncover hidden operational and supply chain risk.
- AI and LLM Testing: Validating AI data pipelines and model behavior under adversarial conditions to identify manipulation risk and ensure resilient AI-driven operations.
For organizations moving beyond periodic testing, OnDefend’s Continuous Security Inspector (CSI) program provides continuous adversary simulation to identify control drift, emerging attack paths, and validation gaps as environments evolve. CSI operates persistently, using intelligence-driven methodologies to reveal risks that point-in-time testing cannot capture.
Read the original article here: Forbes Tech Council: Can Cybersecurity Be Solved
About OnDefend
OnDefend, established in 2016, stands at the forefront of preventative cybersecurity testing and advisory services, a reputation further enhanced by the introduction of its advanced Breach and Attack Simulation (BAS) Software as a Service (SaaS) platform, BlindSPOT. OnDefend is a trusted partner, empowering organizations globally to proactively combat real-world cyber threats. From ensuring compliance with industry standards to building out mature security programs, our mission is to ensure that the security resources our customers invest in are well-utilized, effective, and provide tangible results. For more information about their services and solutions, please visit http://www.ondefend.com/
OnDefend Media Contact:
Lauren Verno, Vice President of Communications & Marketing
904-299-3669