For many organisations, cyber security no longer feels like a source of protection. It feels like a wall of jargon, frameworks, and conflicting advice that’s difficult to question and even harder to act on.
According to experienced Chief Information Security Officer Amy Lemberger, who is the founder of The CISO Hub, this isn’t a failure of businesses, it’s a failure of the security industry itself.
Cyber security, she argues, has become over-engineered and performative. In trying to prove its sophistication, the industry has made itself inaccessible to the very people who are expected to make decisions.
“The industry has massively overcomplicated security,” Lemberger says. “We’ve turned something that should support decision-making into something people feel excluded from.”
She points to a growing gap between compliance and actual protection. Frameworks, certifications, and audits are often treated as proof of security, when in reality they are only indicators of process.
“Compliance and security are not the same thing,” she says. “But they’re constantly conflated. You can be compliant and still exposed in all the ways that matter.”
This confusion leaves many business leaders feeling stuck. They know something isn’t right, but they don’t know how to challenge what they’re being told. Over time, that uncertainty turns into silence.
“I regularly speak to senior leaders who tell me they feel too stupid to ask the right questions,” Lemberger says. “That’s not their failure. That’s ours as an industry.”
Instead of clarity, businesses are often met with dense language, vendor-driven narratives, and technical detail that obscures rather than informs. Security discussions become abstract, detached from real priorities like growth, delivery, and resilience.
The result is a strange contradiction. Organisations invest heavily in security yet remain unsure about what they are actually protected against. Risk is documented but not properly understood. Decisions are deferred because the conversation feels too complex to engage with.
Lemberger believes this is why so many cyber security programmes stall. Not because leaders don’t care, but because the industry has made meaningful engagement unnecessarily difficult.
“When people don’t understand something, they disengage,” she says. “Security then becomes something that happens around the business, not something that’s part of how the business operates.”
She argues that effective security leadership is less about adding more layers and more about stripping things back. Plain language. Honest trade-offs. Clear explanations of what matters now and what can wait.
Cyber security, she says, should help leaders make better decisions, not make them feel inadequate for not being technical specialists.
Until the industry confronts its own role in creating confusion, the gap between effort and outcome will remain. Businesses will continue to spend, comply, and report, while still feeling uncertain about their true level of protection.
