Simple logic.

Security follows quality.

Security weaknesses do not appear randomly.

They occur where defects exist.

Defects are introduced by how work is designed, organised, and incentivised.

Security is therefore primarily a quality problem, not a "cyber" one.

Defects are introduced upstream.

Most defects are introduced long before security controls are applied:

• in process design

• in architecture

• in organisational structure

• in incentives and decision-making

Security tools operate downstream. They can detect and mitigate defects, but they cannot remove their source.

Late fixes become permanent overhead.

Defects that are not removed early must be managed later.

Management takes the form of:

• additional controls

• additional process

• additional tooling

• additional people

Each layer exists not to improve the organisation, but to compensate for something underneath it.

Over time, this compensation becomes structural.

Cost increases. Flexibility decreases. Risk remains and grows.

Organisations aren't breached because attackers are sophisticated.
They're breached because they're vulnerable.

A ship doesn't sink because there's water.

It sinks because there's something wrong.

Sequoia exists to find and fix the things that make businesses vulnerable, so you can move forward.