If you’ve been in the cyber industry for a while, you start to notice cybersecurity has a "Groundhog Day" quality.

We change acronyms and leverage hot new phrases, but the headlines remain the same: passwords still get stolen, people still get phished, S3 buckets still get left open and confidential data still gets leaked.

We often lie to ourselves to explain this. We say the C-suite doesn’t care. We complain about "executive apathy," picturing a board of suits shrugging their shoulders at our heat maps.

In my experience, this is rarely true. Most boards care deeply and are terrified of being the next headline. They are approving cyber spend, reading reports and hiring talent to try and solve the problem. They aren’t apathetic – they are suffering from Active Inertia.

Let’s Break the Mold

Active Inertia is a concept from management theory that explains why successful companies fail. Faced with a changing world, they don't sit still; they accelerate the activities that worked for them in the past, getting busier, but not changing.

In cybersecurity, Active Inertia looks like a team drowning in spreadsheets, working 80-hour weeks to patch "critical" vulnerabilities that represent zero risk, simply because the policy demands. It is the sensation of running faster just to stay in same place, or flooring the accelerator while stuck in mud, hoping you’ll move forward instead of deepening the rut.

To break this inertia, cyber teams must stop looking at our environment as a list of compliance requirements. The traditional approaches give us lists of building blocks, like individual CVEs, identities, assets and misconfigurations. These aren't exposures or security-related issues, they are just a pile of parts that match a compliance framework written 10 years ago.

To attempt to address this, the industry has thrown new acronyms at the problem. We have Attack Path Analysis, Blast Radius capabilities and graphs with edges. These are useful, but often just fancy ways of drawing lines between the parts in the pile. They link a CVE to an asset, but they fail to capture the dynamic nature of an attack.

We need a better mental model. A more pragmatic way to understand exposure is to stop thinking about maps and start thinking about circuits.

A true attack path isn’t just a set of hops between devices. Attackers behave like an electrical current: they naturally flow through the path of least resistance. A complex path with zero resistance is infinitely more dangerous than a short path requiring a nation-state level of effort to traverse. Good proactive security isn't about closing every gap; it's about modelling these paths and raising resistance at the steps that matter.

If we want to break Active Inertia, we need to stop polishing individual components and start modelling these circuits.

We must identify the "resistors" not just critical CVEs, but the weak passwords and cloud misconfigurations offering zero resistance to an attacker. We must understand the "voltage" and recognise that a vulnerability actively exploited in the wild carries a far higher charge than a theoretical flaw on a test server.

Rephrase the Risk

This "circuit mindset" can also be how we solve the communication gap with the board. When we present executives with a list of 10,000 vulnerabilities, their eyes glaze over. That feeds inertia. They assume IT teams just needs to "work harder" because compliance and history tell us that Critical and High issues need to be addressed in 90 days.

But when we present the problem as a circuit, the conversation changes. We can say: "We have identified a low-resistance path that leads directly to our customer database. Others are fixing this and, currently, we are the easiest target in our sector. Here is the best and most cost-effective way to raise the resistance."

Adding in metrics on how quickly you fixed it and the amount of effort it took as a predictor of what you’re asking to address will only make the conversation resonate more. You move the conversation from having to fix thousands of issues in 90 days to how you found and fixed the few which mattered in hours.

This shift in mindset is no longer optional. The modern threat landscape is unforgiving of inertia, specifically because of the speed of AI adoption within the attacker economy. If you are trying to fight AI-driven cyberattacks by just hiring more analysts, you’ve already lost. AI-powered attackers aren’t superhuman cybercriminals. It’s just ruthlessly efficient automation. It takes low resistance exposures and exploits them at scale.

And what is our response? We fall into Active Inertia. We take our 20-year-old, human-dependent processes like (scanning, ticketing, manual validation) and we try to run them faster. We scan weekly instead of monthly. We demand analysts close 50 tickets a day instead of 20. We shrink SLAs.

But you cannot scale a linear, human process to match exponential machine speed. You are just burning out your best people and failing to shore up your defences. While your team is waiting for approval on a change request ticket, the AI attacker has already found your open door and walked right through it.

We need to stop trying to optimise the old. It’s time to pivot. You must fight AI with AI. If the attack is automated, the prioritisation of what matters and remediation to fix the issues must be too. Stop checking boxes. Start measuring resistance and break the circuit before the current flows.