Sitting through a number of presentations at various cyber conferences recently I’m struck that many enterprises cyber security planning comes down to having ‘the best people’ doing really pretty boring jobs. Jobs like keeping software updated, tracking down holes in the firewalls, waiting for alarms to go off, being fed alerts about out-of-date software: in short lots of controlled firefighting. But it all seems like enterprises are just working harder (and expensively) by throwing more people at the problem – instead of finding new ways of doing their business securely.