Why Ransomware Still Works: The Consulting Crisis Undermining US Cybersecurity with Scott Headington

Scott Headington reveals the real challenges in US cybersecurity: failed consulting, AI risks, and the human error behind ransomware

The explosive growth of the U.S. cybersecurity industry is being dangerously undermined by a systemic failure in consulting, where rapid order-taking has replaced the deep, strategic partnership required to build genuine resilience.

In this interview, we discuss this matter with Scott Headington, Vice President of Indelible LLC and a seasoned cybersecurity expert. He argues that the industry's greatest vulnerability isn't a technical flaw, but a human one: the erosion of true consultancy. 

Moving beyond market statistics, Headington delivers a candid diagnosis of why ransomware still cripples businesses, why the reckless adoption of AI poses an unprecedented threat, and how the solution lies not in a silver bullet, but in returning to the foundational principles of people, process, and technology.

Interview with Scott Headington

How big is the cybersecurity industry in the U.S. today, and how fast is it growing?

Cybersecurity is the fastest growing industry in the US.  It’s an exciting and scary time to be in the business. Now, for the boring side of my answer, depending on who you read. The U.S. cybersecurity market is estimated to have a market value of between $75-85 billion and is growing at approximately 12-13%.  I review a few publications that state these figures, ones like Grand View Research or Mordor Intelligence.

Also, according to market research, the U.S. represents the largest spend globally, with the total market estimated to be north of $300 billion. It's an incredibly fast-growing industry, fueled by increasingly sophisticated attackers, quickly evolving technology, and the access to artificial intelligence/machine learning helping design attack vectors never thought of before. The growth is also fueled by businesses moving forward on digital transformation plans, such as the adoption of cloud technology.

Lastly, during the COVID years, 2020 and beyond, the workforce started to leave major cities and spread out across the country. So now remote workers play a significant role in the U.S. cyber market, as businesses now need to account for an unexpected exodus from the workplace to people’s homes, where the security posture can vary widely.

What are the biggest challenges U.S. companies face in protecting their data?

It's challenging to pin down just a few issues because there are so many, but it’s the age-old problem of lack of time, people and budget. Having the necessary resources to learn, implement, and deploy systems is always an issue.

However, a deeper problem spawns from the industry itself. Cybersecurity consultancies are failing their clients by not "consulting." Gone seem the days of listening to clients, talking about solutions and bringing knowledge and experience to the table. Many vendors come in, hear what their clients want, and turn around a contract in 24 hours. This approach perhaps wins repeat business since the vendor was quick and the client gets what they want, but I ask how often a patient goes to their doctor and has the below conversation?:

“Hi Doctor, thanks for meeting with me. I have a pain in my groin, and I’ve been reading up and I need a hernia surgery next week. Also, I have a nagging cough, can you include a prescription for an antibiotic to clear this up.  If we can get this done, I have some other ailments that I could have you work triage in a couple of weeks. I need to tell my spouse (boss) when this will all be taken care of with how much it will cost; can you have this by tomorrow? I have 2 other doctors I’m talking with this week. When I get all your offers in, I’ll review and let you know if you get to fix me up”.

I’m guessing never.

True consulting requires a partnership, understanding the client's business, goals, roadmap, and using expertise and experience to recommend a solution that addresses the actual problem, and that can't be done in a 30-minute scoping call. 

The industry has moved to service offerings designed to be too narrowly focused but align with client requirements and budgets. That's not consulting; it's order taking and symptom treatment. For example, testing a web application is valuable, but it's only a limited view of the overall system. We have forgotten the old mantra of "people, process, and technology."

Looking at only one of these three components is a mistake. What about the people who write, test, and deploy the web app? What about the processes that support it? Fixing just one aspect doesn't give an organization the full picture.

We need to use our knowledge and experience to guide our clients to what they truly need, which may differ from what they think they want. While a few consultancies are trying to change this, it's a slow process that requires reshaping the vendor-client relationship.

Why are ransomware and phishing still such big threats in the U.S.?

Phishing and ransomware remain such big threats for one simple reason: they work.

Attackers have become incredibly sophisticated, moving far beyond the "frog in a blender" scam of the past. It's now genuinely difficult for an average user to distinguish legitimate emails from malicious ones. The internet is built on links, but we're told not to click them unless we're sure, but how are we to be sure?  That is exhausting and paralyzing for the end user. This constant pressure leads to human error. There is no silver bullet solution for phishing other than constant diligence and a "trust but verify" mindset.

Ransomware is a bit different, it is multi-faceted. The first thing to remember is that ransomware is not an attack vector; it’s an action an attacker can take because of exploiting underlying security vulnerabilities and gaining access to a business’s assets. There’s a second part to this, recovery from ransomware. To do that you have really two choices, pay the attacker or execute your business continuity/disaster recovery plans. Sadly, option two, requires preparedness and practice performing the steps in the plan. Most organizations are under prepared, largely due to lack of allocated resources (time, people, money). 

To illustrate my point, let's learn from the TV show "Deadliest Catch". Crabbing in the north Atlantic in the winter is considered one of the deadliest careers you can have, since it doesn’t take long in the frigid water for the body to succumb to the cold and you perish. Crabbing crews practice getting into their survival suits to prepare for a real emergency by physically going through the steps they find, get into and zip up suits. The boat captain times them and makes them do it again, until the crew can prepare for an “abandon ship situation” as quickly as possible. In contrast, many organizations and their security partners only "practice" their business continuity and disaster recovery plans via a theoretical table-top exercise. Where they talk about the steps but don’t execute them. The teams responsible for BC/DR execution are also increasingly reliant on tools, without fully understanding how they work under the covers. If a tool fails, what then?

Teams need more time and resources to dig deep, become elite, and practice what happens in various situations. It is through that practical, hands-on experience that they will truly learn where their plans fall. Ultimately, the biggest challenge is not the attackers or their tools, but the human and procedural vulnerabilities they exploit.

How are new technologies like AI and cloud services changing cybersecurity in the U.S. market?

It's important to recognize that new technologies like AI and cloud services have reshaped the technology stacks of organizations globally, not just in the U.S. What I’m going to talk about here affects us all globally.  

With that said, this topic, using cloud and AI as the examples is the tale of two cities. On the one hand you had slow methodical adoption of cloud technologies which slowly brought cybersecurity research along at relatively the same pace. 

Contrast this with the explosive and, I consider reckless, widespread adoption of AI without fully understanding the impact and consequences from a business or cybersecurity standpoint.  From a cybersecurity perspective, it’s not the technology that is changing the industry, it’s the adoption approach. 

Speaking to the US market, technology innovations are adopted rather slowly. Using cloud offerings as a use case, that brought immense advantages, allowing organizations of all sizes to centralize infrastructure and divest from the management of their own network and storage devices. This brought benefits I never dreamed of in my early career days developing code back in the 90’s. However, this has also created a centralized attack target. The "golden ticket" for an attacker is compromising a major cloud provider, gaining access to all the data, not just a single or handful of tenants.

That led organizations to cautiously adopt cloud into their organizations.  I’m familiar with major financial institutions and cybersecurity organizations that as recently as 2024 were just transitioning a limited footprint of infrastructure to the cloud. 

Now with AI, the business world seems to have thrown caution to the wind and decided every industry must have a GPT integrated, or they will go the way of the dinosaur. From automotive OEMs to mom and pops e-commerce stores, AI is, has and will be integrated everywhere. But at what cost?

I've spoken to many teams that are "integrating with AI", but due to the pressure to get this completed, they are moving forward without the required knowledge to understand the risks. In far too many cases, the integration companies hired to help business with these projects don’t have all the answers.

Few organizations have well-defined data classification policies, understand the time, space and data requirements to train an LLM, or have a plan to remove poisoned/bad data when (not if) it gets into their system. I was recently having a conversation with a CIO friend of mine over lunch who’s working with an AI integrator. She was expressing concern bringing AI into the workplace.  She confirmed they had no data classification to ensure what data should be viewed by whom, the integrator hadn’t brought up how to maintain the LLM considering what happens when it shows bias, is working off data mistakenly added, etc.   

Now bring in the Cybersecurity industry and on its heels. We are reeling to catch up and understand a deeply complex technology. Just one year ago, while consultancies were bringing their “AI Expertise” to market, most of the offerings were high level and didn’t get down to the real issues that matter.  This is mostly due to time, time to learn and research. 

The cybersecurity industry on both the black and white hat sides, takes time to research technologies, it takes time to understand the impact of small esoteric nuances that can lead to full system compromise.  The movement and adoption of AI is moving at a staggering pace, I fear a significant number of organizations will lose data that will be integrated into public LLMs, and at that point, there is little we can do to get it back. 

AI tools are also being used by attackers to think of and design new attacks on vectors not considered before. Given the reliance businesses have on cloud infrastructure, I believe it will not be long before a major cloud provider suffers a serious breach due to an AI-designed attack. 

What are the main drivers of growth in the U.S. cybersecurity industry (e.g., regulations, remote work, digital transformation)?

You've hit the nail on the head. The main drivers are all those factors (regulations, remote work, and digital transformation) coupled with technology advances such as AI, as well as a significant increase in awareness and spending by organizations.

This heightened awareness, coupled with the realization that a security breach can lead to significant financial loss and damage to a company's reputation, is a major factor driving increased security spending across all sectors.

It’s also important to note that countries like Finland, Denmark, and Norway are also leading the way in securing their infrastructure. Their success is often due to strong public-private partnerships and a cultural emphasis on building digital trust and resilience. While it's a global spend led by the U.S., regions like APAC and MEA are rapidly increasing their investment, driven by their own ambitious digital transformation initiatives.

How is the shortage of skilled cybersecurity professionals affecting U.S. businesses?

While the U.S. cybersecurity industry has faced a long-standing shortage of skilled professionals, the job market in 2024 saw a unique shift. The trend of mass layoffs and security spending cuts led to an influx of talent in the market with a limited number of permanent positions available.

Companies were laying off employees in favor of contractors and consultants, in a move that I believe was designed to make the organizations look more profitable on paper by shedding the liabilities of full-time salaries and benefits. While this may be good for their stock price, it is not good for their long-term security posture. The heavy reliance on contractors, who often lack institutional knowledge and a vested interest in the company's long-term health, can leave an organization with a less resilient security program.

However, as the market recovers and companies begin to hire again, this will hopefully lead to talent spreading out to more positions, which benefits businesses. We have also seen several highly talented startups come to life as some of the older names in the U.S. cybersecurity industry falter. This is good for the industry and generally leads to more innovation.