The Security Spending Trap: Why Your Investment Isn't Protecting You

Written By Paolo Carner

In December 2022, CircleCI—the CI/CD platform trusted by thousands of tech companies—discovered malware on an engineer's laptop. By the time they caught it, attackers had spent weeks inside their production environment, harvesting customer secrets: API keys, tokens, credentials to AWS, GitHub, and databases.

Introduction

At the time of the breach, CircleCI had everything you're supposed to have: SOC 2 Type 2 compliance, a dedicated security team, endpoint detection tools, and production monitoring. They even detected suspicious session token usage.

None of it prevented the breach. Why?

The malware bypassed their security tools. The suspicious activity blended into normal engineering noise. By the time they understood what they were looking at, attackers had exfiltrated secrets from ~4,000 customer organizations.

CircleCI's response? Force every customer to rotate every secret stored in their platform. Thousands of engineering teams spent January 2023 manually rotating credentials across their entire stack. Revenue impact for those customers: impossible to quantify. Trust impact: permanent.

The security tools were running the entire time. They just weren't protecting anyone.

The core problem

Unfortunately, security spending doesn't equal security capability. Here's the mechanism of failure that CircleCI—and likely your company—faces:

Your tools generate signals. Thousands of them. Endpoint alerts. Network anomalies. Authentication events. Each one is technically correct. Each one is potentially important. None of them contextualized.

When CircleCI's monitoring flagged suspicious session token usage, it was signal #847 that week. Was it an engineer working from a coffee shop? A CI job with weird timing? A compromised credential? The tool couldn't tell them. Someone had to investigate. But investigate how? With what priority? Using which playbook?

That gap—between "we detected something" and "we know what to do about it"—is where breaches happen.

Most scale-ups buy security tools to satisfy external requirements: SOC 2 audits, customer RFPs, and insurance applications. You implement the tool, check the box, and move on. The tool does exactly what it's designed to do: generate logs, create alerts, and produce reports for auditors.

What it doesn't do: tell you when something's actually wrong. Or what to do about it.

The illusion: "We have monitoring, so we're covered."

The reality: Monitoring without interpretation is just expensive noise.

Why this matters now

You're in the danger zone. Big enough to be worth targeting—you have valuable customer data, revenue worth disrupting, ability to pay ransom. Small enough that one incident could be existential.

Here's the asymmetry that's killing scale-ups: Your engineering team can ship a breaking change in 6 minutes. Your security posture—if you even have someone responsible for it—takes 6 hours to confirm whether an alert is real. That gap is your vulnerability.

On top of it, the external pressure is mounting. Enterprise customers are asking harder questions in vendor security reviews. Your insurance premiums are rising, or coverage is being denied outright. Your board wants proof you're managing this risk, not just spending on it.

The framework

The gap between tools and protection isn't solved by buying better tools. It's solved by building a system—five layers that work together:

  1. Detection (what your tools do now)

  2. Triage (what separates signal from noise)

  3. Investigation (what determines actual risk)

  4. Response (what contains and remediates)

  5. Learning (what prevents recurrence)

Most scale-ups have Layer One. Maybe parts of layer two, if someone's writing custom detection rules, or if the technology is intelligent enough.

Layers three through five? That's where CircleCI failed. That's where you're failing.

Let me clarify: this series isn't to "teach” you another compliance framework. Not another technical standard. Over this series, I'll break down what each layer actually requires—the people, processes, and yes, tools—that make them work. But, more importantly, I'll show you why they have to work together as a system, not as disconnected point solutions.

And I am not going to tell you to rip out your existing tools. I'm going to show you what has to wrap around them to make them actually protective, rather than just performative.

What you'll learn

By the end of this series, you'll understand what good looks like at your scale. Not enterprise SOC scale, but not "wing it with your senior engineer" scale either. The specific capability level that matches your risk profile: too big to ignore security, too small to build a full security organization.

You'll understand the build-vs-buy calculus: what's realistic to build internally, what requires specialized expertise, and what the true cost of each option is (hint: it's not just salary).

And you'll know how to evaluate whether a provider—whether that's a consultant, a tool vendor, or a managed service—can actually deliver what you need, or if they're just selling you layer one with better marketing.

Next in this series: "Detection Without Triage Is Just Expensive Noise" - why having alerts doesn't mean having answers.

Sources:

  1. CircleCI Security Alert (January 4, 2023): https://circleci.com/blog/january-4-2023-security-alert/

  2. CircleCI Incident Report (January 13, 2023): https://circleci.com/blog/jan-4-2023-incident-report/

  3. Bleeping Computer Analysis (January 2023): https://www.bleepingcomputer.com/news/security/circleci-says-hackers-stole-encryption-keys-and-customers-secrets/

Paolo Carner
Next

Understanding Third-Party Cyber Risk for SMBs