People Over Policies, Pt. 9 — Tools Don’t Make You Secure

John Hammond once wrote:

“Don’t forget, 0-days wouldn’t happen if you had just bought that one vendor’s EDR, MDR, XDR, NDR, RDR, NXDR, ODR, PDR, LDR, QDR, VDR, JDR, KDR, IDR, 1DR, 4DR, DDR, ZDR, YDR, ⧫DR, 🟋DR, 🙻DRR, DRDRDR, AIDR solutions they emailed you about after you got stickers from their booth.”

It’s hilarious—because it’s true.

Cybersecurity has become obsessed with acronyms and automation, but the reality is: you can’t buy your way out of risk.

Every tool has limits.
Every AI-driven defense eventually meets a human clever enough to beat it.

If you need proof, look no further than Stuxnet—the cyber weapon that sabotaged Iran’s nuclear centrifuges over a decade ago.
The system was air-gapped—physically disconnected from the internet—yet it still got infected.
How? A human found a USB drive on the ground and plugged it in.
That one action breached one of the most secure facilities on Earth.

Technology didn’t fail.
Human curiosity did.

But here’s the deeper truth:

People are also the strongest link.

The same human element that breaks systems is the one that saves them.

A vigilant user reporting a suspicious email is often the first line of defense.
A SOC analyst who catches something the tool missed is the final line of defense.
A leader who builds trust and psychological safety empowers people to speak up early — preventing disaster before detection ever kicks in.

Automation can’t do that.
A policy can’t do that.
Only people can.

So the real problem isn’t that people are weak — it’s that systems are often designed to blame them instead of equip them.

👉 What’s one example where people, not technology, saved the day?