Expanding tech stacks create an "unmanaged middle" where attack surfaces grow faster than accountability, leaving risk to fall between tools, teams, and operational oversight.
Mike Andrewes, a cybersecurity advisor and owner of Yastis, frames cyber failure as a structural and operational problem, not solely a lack of tools or budget.
He advocates for a risk-first model that defines ownership, limits complexity to what teams can actually manage, and prioritizes effective execution over tool acquisition.
At most organizations, the finger-pointing starts almost immediately after a data breach. But the real culprits aren't always sophisticated hackers or insufficient spending. More often, it’s the unmanaged complexity within an organization, like sprawling tech stacks, fragmented operational processes, and critical gaps between teams, that create the most dangerous vulnerabilities.
Mike Andrewes, a cybersecurity advisor and owner of Yastis, sees these structural and operational failures as the true drivers of cyber risk, creating an "unmanaged middle" where threats thrive. Using his background as a Cyberspace Operations Officer in the Ohio Air National Guard and previous roles at Lockheed Martin and the Department of the Air Force, he guides startups and SMBs through complex compliance environments.
From his perspective, effective cybersecurity is less about buying the latest tools and more about disciplined execution and clear operational ownership. “The blind spots sit on the borders where one team says 'that's not us,' and another team says the same thing. That 'not my job' culture creates the unmanaged middle, and that is what puts the company at risk,” he says.
Attack surface explosion: The allure of new technology often leads organizations to adopt tools without fully understanding the operational overhead they introduce. Each new integration, workflow, or piece of software expands the attack surface, adding layers of complexity that can quickly become unmanageable. Andrewes cautions against adding tools for marginal gains, stressing that the perceived benefits rarely outweigh the hidden costs. ''If it’s only saving me five to ten percent, it’s not worth it because you’re expanding your attack surface,'' he cautions.
Manufactured complexity: This expansion of complexity is often exacerbated by what Andrewes calls “manufactured complexity.” As new tech emerges, the market can become flooded with vendor solutions. This dynamic aligns with a universal principle of economics, he explains, paraphrasing the investor Charlie Munger: "Show me the incentive and I will show you the outcome." If market incentives reward complicated solutions over simple ones, then complexity is what the market will produce. Countering this requires a disciplined, risk-first framework.
While technical tools are a significant part of the attack surface, Andrewes points out that people often represent the most critical vulnerability. ''A company with five or ten cybersecurity-savvy people could keep its systems safer than a trillion-dollar company because people are the attack surface," he says. The human element encompasses everything from training gaps and social engineering susceptibility to simple human error. Effective operational security, therefore, must prioritize the human factor, ensuring teams are empowered to act as a cohesive defense.
Even with a well-chosen tech stack, risk emerges in the interaction layer between tools. Security teams are often overwhelmed by alerts from disconnected dashboards, creating a constant stream of low-value noise that obscures genuine insight. Andrewes believes the solution is an honest assessment of a team’s finite resources.
The first step is to define a team's true capacity for analysis. If a team can realistically process only a hundred alerts a day, then efforts must focus on filtering and prioritizing the most critical signals. ''If you know important alerts aren’t getting analyzed, that’s negligence,'' he says. This means optimizing existing resources and, where possible, finding ways to automate more of the analysis to ensure critical alerts are never knowingly ignored due to lack of capacity.
The unmanaged middle: The operational friction between tools often reflects a deeper disconnect between the human teams that manage them. Andrewes points to the Coinbase help desk incident as a prime example of risk living in the seams of an organization, where accountability can dissolve. In that incident, an overseas help desk employee was bribed to provide sensitive data, leading to significant personal risk for users. "Some people were saying, 'How could Coinbase get hacked like that?'" Andrewes recounts. "And then other people in the company itself were saying, 'Oh, no. We didn't get hacked. Our user got tricked.' So that's social engineering. Is every instance of social engineering a cybersecurity-focused hack? No. Those are on the fringes, and that's where the blind spots exist."
Own the issue: He emphasizes that this wasn't a technical hack in the traditional sense, but a breakdown at the operational borders where different teams defined the incident differently, leading to a "not my job" culture. He maps the unmanaged middle as a square with four functional corners: traditional cybersecurity, consumer privacy, financial compliance (like Know Your Customer and Anti-Money Laundering), and general fraud. Incidents often slip through the cracks when they touch these borders, and teams deflect ownership. The solution, Andrewes says, is for team members to take ownership by either directing the issue to the correct owner or proactively setting up a collaborative meeting.
The antidote to manufactured complexity and operational blind spots is a disciplined, risk-first framework. Andrewes stresses that a sound strategy begins with a thorough risk assessment, placing the organization’s specific needs ahead of any generic sales pitch. To ensure follow-through, security leaders must map identified risks to specific controls, then to the tools that implement those controls, and finally, to the costs associated with them. This comprehensive approach provides a clear, costed path to remediation, preventing initiatives from stalling. It’s about building a robust operational plan that moves from identification to implementation, so security measures are actively put into practice.
Ultimately, cybersecurity maturity isn't achieved by acquiring the most tools or spending the most money. It's about a disciplined, practitioner-focused approach to managing complexity, understanding operational capacity, and fostering a culture of ownership across all teams. As organizations navigate emerging challenges like AI governance, third-party risk management, and identity—areas Andrewes predicts will see the most unmanaged middle failures in 2026—the ability to effectively manage existing risks will define true resilience.
