The Equifax breach, which impacted an estimated 145.5 million U.S. consumers, was in many ways the enterprise security story of 2017. That’s why so many of us were shocked when, during (now former) Equifax CEO Richard Smith’s Congressional testimony, we repeatedly heard him blame the company’s breach on a single IT person failing to install a patch. On the surface, this sounds like an error so easily avoidable as to be a travesty of incompetence or neglect. Indeed, Equifax came in for extensive criticism on essentially those grounds. But that superficial reading masks a deeper truth about the state of cybersecurity today, one that actually is even more worrying than the fact that a company holding data on so many Americans could be breached: namely, that many security teams (like, apparently, Equifax’s) are so overwhelmed that even simple things slip through the cracks.

More spend on tools, but to what end?

Organizations like Equifax are currently spending more on security than ever before. According to Gartner, worldwide spending on enterprise security will reach $96.3 billion in 2018, an increase of 8 percent from 2017.

Yet despite the money pouring into security, organizations — and not just Equifax — are increasingly being compromised not by the most sophisticated zero-day attacks but by simple mechanisms from the early 2000s — like missing patches or weak administrative passwords. How can such elementary problems still be tripping us up so many years later?

For one, security teams are overwhelmed. The average security team typically examines less than 5 percent of the alerts…