The Metro Ethernet Forum's GEN15 conference brought together the networking industry's senior leadership at a moment when the perimeter between enterprise networks and the public internet was dissolving at an accelerating pace. Stuart McClure's presentation posed the question that the conference participants most needed to hear but were least likely to ask themselves: are we complacent?
The answer Stuart delivered was yes — and not casually. The security industry had developed sophisticated tools, processes, and frameworks, and those things created an institutional confidence that the problem was being managed. But the data told a different story. Breach dwell times — the time between initial compromise and detection — were measured in months. The most consequential attacks were succeeding against organizations with mature security programs. Something was fundamentally wrong with how the industry was thinking about the problem.
Stuart's argument was that complacency had two sources. The first was the natural human tendency to feel confident when you have done everything you are supposed to do — bought the recommended products, built the recommended processes, hired the recommended people. The second was structural: the security industry's business model was based on detecting and responding to breaches rather than preventing them, which meant that the incentives running through the entire ecosystem were aligned with the wrong goal.
Cylance's thesis — that mathematical prevention was achievable and that the industry needed to commit to it — was the prescription Stuart offered. The presentation at GEN15 was one of his most direct challenges to an industry audience to move beyond the comfortable assumptions that were keeping organizations perpetually behind their adversaries.