top of page
I-Mitigate International_edited.jpg

Security excuses: Why “It won’t happen to us” Is the most dangerous mindset


Security and risk management often fail not because of the sophistication of threats, but because of the mindset of those tasked with preparing for them. Among all the barriers to resilience, one phrase is more damaging than any cyber-attack or hostile actor:

“It won’t happen to us.”


This single belief breeds complacency, delays investment, and leaves organisations unprepared for events that could destabilise operations, damage reputation, and put lives at risk.


Business leader on a balcony high above the city skyline, reflecting on organisational blind spots.


The comfort of assumptions


Leaders, by nature, must balance risk with resources. But too often, that balance drifts into wishful thinking. Excuses present themselves in different forms:


  • “We’ve never had an incident before.”

  • “Our systems have always worked fine.”

  • “We don’t have the budget for security this year.”

  • “Our people know what to do.”

  • “We’ll deal with it if it happens.”


On the surface, these sound practical. In reality, they are rationalisations, ways of postponing uncomfortable truths. The danger is that risk doesn’t wait for readiness. A system that has “always worked” can fail tomorrow. A workforce that has “never been tested” may falter in the first moments of a crisis.


The blind spots that excuses create


Every organisation has blind spots. Excuses widen them.


  • Insider threats: The colleague who bypasses procedures because “we all know them” becomes the gap that hostile actors exploit.

  • Geopolitical shocks: Protests, blockades, or shifting alliances can shut down supply chains overnight, yet are dismissed because they “rarely happen here.”

  • Technological dependence: Overreliance on digital tools creates fragility, but the assumption that “our IT team has it covered” masks how quickly a breach can escalate.

  • Continuity planning: A thick binder labelled “Crisis Response” is meaningless if it has never been tested under pressure. But because the plan exists, leaders assume they are prepared.


The problem is not the absence of risk awareness, but the willingness to believe that preparation can be delayed until tomorrow.


The psychology of excuses


Excuses serve a purpose: they reduce anxiety. Telling ourselves “it won’t happen to us” allows focus on day-to-day business without the weight of looming threats. But security is not about comfort, it is about readiness.


Organisations fall into three common traps:

  1. Optimism bias – The belief that negative events are more likely to affect others than ourselves.

  2. Normalisation of deviance – Small risks ignored over time become accepted as “normal practice,” until they trigger a major incident.

  3. Short-termism – Immediate financial or operational pressures outweigh long-term resilience, leading to chronic underinvestment.


Each of these traps feels logical in the moment. Each of them unravels in the face of real disruption.


When excuses collapse


History is full of examples where excuses paved the way for disaster:


  • Infrastructure failures: Bridges, dams, and power grids neglected because “maintenance can wait” — until they failed catastrophically.

  • Corporate breaches: Companies dismissing small system alerts as “false positives” — only to discover they were the first signs of a major cyber intrusion.

  • Civil unrest: Businesses operating in politically tense regions without contingency plans because “we’ve always managed before” — then left stranded when borders closed.


Excuses don’t soften the blow. They sharpen it, because the impact lands on organisations that are least prepared to respond.


Executives looking toward an office complex, representing oversight and responsibility in risk management.

Building a no-excuse culture


Resilience begins when excuses end. To move beyond “it won’t happen to us,” organisations must accept a harder truth: it very likely could. Preparation must be lived, tested, and continually adapted.


Key elements include:

  • Admitting vulnerability – Recognising that every system, process, and team has limits.

  • Routine stress-testing – Plans must be exercised against realistic scenarios, not theoretical ones.

  • Cross-functional responsibility – Security is not the job of one department. It requires alignment between leadership, operations, technology, and culture.

  • Future-focused thinking – The threats of tomorrow will not look like the threats of yesterday. Excuses anchored in the past are useless in the future.


Think again


The most effective risk strategy is not built on hope or on the comfort of excuses. It is built on the acceptance that disruption is inevitable, and the determination to adapt before it arrives.


It won’t happen to us” is not a shield, it is an invitation for risk to strike harder. The real question every leader must ask is not if it will happen, but when, and whether their organisation will be ready when it does.

Comments

bottom of page