As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of basic “forces”.
Data leaks unless managed, access degrades w/o rules, information is ethereal. In the broader context of the term, from Stewart Brand: “Information wants to be free. Information wants to be expensive....that tension will not go away”.
Bugs are inevitable (in all their forms - requirements, design, implementation), some bugs are security vulnerabilities, exploitable bugs can become realized risk. I first heard this from @bobblakley I think.
Attack surface grows, risk is proportional to attack surface, unknown services are never checked. There’s a - Murphy’esque - corollary of this which is “Services want to be on, unless you really want them to be on and then they often fail.”
Unchecked controls degrade with time, untested resilience fades with time, constant counterbalance is needed. Everything degrades unless countered with a force to keep it in place.
Simple systems that work may still collectively fail when composed together - and will often do that in unpredictable and volatile ways.
The macro/micro economics of InfoSec are important to align incentives to reduce the right risks with the right priorities with factors like opportunity and productivity cost.