Too many firms treat software security as a “tower defense” game. When they lose to the attackers, they try to figure out how those attackers “got in.” (To do this, they often hire a firm like Mandiant.) And then they try to build their IT “walls” better. It is tempting to let the bad guy throw rocks at that tower all day long. Then, when the attacker “wins,” we simply redirect some resources to building the walls a bit higher and better. And then we go back to letting attackers throw rocks again.
If we take the Wikipedia article on tower defense games and look at the description, it becomes eerily prescient with respect to some firms’ security posture. A few choice word replacements make this suddenly sound exactly like what’s happening.