Here’s how to doom a cybersecurity program: Think of cybersecurity as a war against an attacker that must be fought to the finish, invest in threat tracking technology for threats your organization has no capabilities to defend against, and let the sunk cost effect determine how you spend your security budget.

In reality, cybersecurity is more like policing crime than going to war and returning when you’ve won. There will always be criminals. The goal should be to manage crimes in a resilient way.