Meaning in the Signal

The Constraint Moved and Nobody Noticed

securitytheory of constraintsvulnerability managementcomprehensioninvestment

Eliyahu Goldratt had a gift for stating things that sound obvious in retrospect but are, in practice, almost universally ignored. His Theory of Constraints (Goldratt, 1984) rests on a single deceptively simple observation: in any system, there is always one constraint that governs throughput, and improving anything other than that constraint produces no meaningful improvement in outcomes. None. You can optimise every other part of the system with extraordinary sophistication and the system will not flow any faster, because the bottleneck sits elsewhere, quietly absorbing all that upstream energy and converting it into queue.

I have been thinking about this a great deal recently, because I believe it describes with uncomfortable precision what is happening across most of the cybersecurity industry right now. The constraint has moved. The investment hasn’t.

When Detection Was the Right Thing to Optimise

There was a period, not so long ago, when the constraint in security operations was unambiguously visibility. You couldn’t defend what you couldn’t see, and the bottleneck was detection: insufficient sensors, incomplete log coverage, signature-based tools that missed novel threats, and dwell times measured in months rather than hours. A 2016 Mandiant M-Trends report put the median dwell time at 99 days globally; in the Asia-Pacific region it was an eye-watering 172 days. Organisations were being breached and had no idea. Under those conditions, every dollar invested in detection capability returned a measurable dividend, because detection was genuinely the thing preventing the system from flowing.

The industry responded with formidable collective energy. SIEM platforms matured. EDR displaced legacy antivirus. Threat intelligence feeds proliferated. Cloud-native monitoring emerged. AI-powered vulnerability discovery entered the picture and began to operate at a speed and scale that no human team could match. Bug bounty and crowdsourced security programmes brought diverse human creativity to bear on attack surface enumeration. The constraint, slowly and then very rapidly, dissolved.

This was a genuine achievement. I don’t want to diminish it.

The Pipe We Didn’t Notice

What the industry failed to appreciate, and I include myself in this, is that solving for the old constraint would expose the next one. Goldratt was clear on this too: when you break a constraint, a new constraint immediately emerges somewhere downstream. The system doesn’t become unconstrained; it becomes differently constrained. The question is whether you notice, and whether you respond.

Today, in most mature security organisations, the constraint is not detection. It is comprehension. The bottleneck is no longer finding things; it is understanding which of the things you’ve found actually matter, in this environment, to this business, today. And the evidence of this is everywhere, once you know to look for it.

It shows up in the vulnerability management programmes carrying backlogs of tens of thousands of valid, true-positive findings, every single one technically accurate, none of them telling the analyst which one will be exploited on Thursday. It shows up in the SOC, where alert queues grow faster than teams can clear them and the response to volume is, increasingly, to raise the threshold for escalation rather than to understand the alerts more deeply. It shows up in the board meeting where the CISO presents a coverage metric, a percentage of assets monitored, a number of findings identified, and the board nods along without anyone in the room being able to answer the question that actually matters: are we safer than we were last year?

These are not technology failures. They are the signature of a misidentified constraint.

The Investment That Hasn’t Moved

Here is the part that I consider genuinely alarming, and I want to be direct about it. Look at where the security industry’s money goes. SIEM and log management. Endpoint detection and response. Vulnerability scanning platforms. Threat intelligence feeds. All of these are investments in the upstream pipe, the detection capability, the part of the system that no longer governs throughput. They are necessary investments, I am not arguing for a moment that we should stop making them, but they are no longer the investments that will move the needle on actual security outcomes.

Now look at where investment in comprehension sits by comparison. Crown jewel analysis, meaning a rigorous, business-aligned understanding of what actually matters most in the organisation, is treated in most security programmes as a workshop exercise done once and revisited never. Attack path modelling, the capability to trace a realistic exploitation chain from an initial finding through to a business-critical asset, is available in a handful of tools but adopted in a fraction of organisations. Threat actor contextualisation, the capacity to ask “who would actually exploit this, and do they have the intent and capability to target us specifically”, is something most teams consume as a feed rather than operationalise as a function. And the human capacity to interpret, synthesise, and act on complex, contextual signal is chronically underdeveloped relative to the human capacity to generate and process raw findings.

Furthermore, look at how vendors compete. On detection breadth. On scan speed. On finding volume. On coverage. Almost nobody is competing, at least not yet, on the quality of the meaning they help you extract. The market is still organised around the old constraint.

What Goldratt Would Say

Goldratt would say, I think, that we are running the fastest pipe in the history of security into the narrowest bottleneck we’ve ever built, and calling it progress. He would say that every incremental investment in detection capability, applied to a comprehension bottleneck, produces zero improvement in throughput and considerable improvement in queue length. He would say, with the slightly impatient air of someone who had explained this before, that the question is not “how do we find more?” It is “where is the constraint?”

The constraint is comprehension. It has been for a while now. The organisations that recognise this earliest, and begin to redirect investment accordingly, will not simply be more efficient than their peers. They will be meaningfully safer. And in a field where the consequences of getting it wrong are measured in data breaches, operational disruptions, and the quiet erosion of the trust that modern digital economies run on, that asymmetry matters rather a lot.

So: when did you last audit your security investment portfolio through the lens of your actual constraint?

If the answer is “we haven’t”, that is the work.

“Meaning In the Signal” is published weekly. Read the inaugural post here.