The biggest technology companies, finance firms and technology giants — including Facebook which now reports up to 50 million user accounts may have been taken over by criminal hackers — invest many millions in cybersecurity and still fall victim to significant attacks.
It may be a function of where those many millions are going, which at many companies, is often backward rather than forward, focused on yesterday's or last year's problems and not on what might be coming next.
Last November, Facebook CEO Mark Zuckerberg told investors that he intends to make a point of communicating that cybersecurity spending will be hard on earnings, but is a necessary component of the company's forward-looking goals.
He said Facebook would double its security staff in 2018 by adding contractors, especially security engineers, from 10,000 to 20,000 employees. The company has also been spending more on artificial intelligence, in part to cull rogue accounts meant to sow discord with false stories, in U.S. elections and other government activities.
In the company's second-quarter 2018 earnings call, Zuckerberg pointed out one of the toughest lessons for all companies as big as his, "Security is not a problem that you ever fully solve."
First, one of the top issues companies must contend with is that many of the cybersecurity problems they are tasked with fixing are backward-facing, based on major issues of the past. That leaves the door wide open for innovators on the adversarial side.
Whichever issue brings a company the sharpest criticism from the public, the most attention from regulators or the most worry from its board, that's what will get the focus internally, including from executives who hold the budgetary purse strings. In Facebook's case, its security efforts have been especially laser-focused on election-related "fake news."
The same is true at all big institutions with a target on their back for criminal attackers. Cybersecurity executives in the health-care, logistics and shipping industries, have told CNBC they are putting a significant portion of their attention to ransomware mitigation and disaster planning, following the WannaCry and NotPetya ransomware-worm attacks launched last year.
In the same vein, cybersecurity insiders at a range of top finance firms have told CNBC in the past year that they have put an exceptionally heavy emphasis on spinning up projects to prevent another breach like that which struck Equifax in September 2017, at the behest of boards and shareholders. Those initiatives typically include putting a huge focus on the public response plan for a data breach and reconsidering how these companies patch their systems en masse.
Of course, in 2017, Equifax itself was focused on something elsebefore its massive breach: Chinese spies, one of the headline cyberattack concerns of 2015 and 2016.
All of these cyber-issues are important to address, but it is also important to give equal focus to forward-looking matters. That's because criminals, trolls and other malicious actors aren't constrained by a company's yearly budget allocation meeting and quarterly reporting schedule.
Criminals, by contrast, can pivot strategies on a whim. And in some ways, they are just as mindful of what the Facebook CEO might need to do and say to please his shareholders and board as is Zuckerberg himself.
"This is a really serious security issue and we are taking it very seriously," Zuckerberg said.
Undoubtedly companies may be "serious" about security, but criminals are serious about working around it. And for that, it may be time for rethinking how companies are held accountable for breaches, and how they should look to keeping more secure in the future.