I'll take door number 4, please.

Cynics laws of thermodynamics cybersecurity:
0th: You must play the game.
1st: You can't win.
2nd: You can't even break even except under special circumstances.
3rd: The special circumstances don't exist.

Anyone who spends sufficient time reading commentary on cybersecurity will notice that many posts  fall into three major themes around the topic of "how to fix it:"

1) Do the basics and fix 90-99 percent of the problem. 

2) Attacks are continuously getting more sophisticated and we need to be as technically advanced as the bad guys.

3) We are facing a no-win situation and we have to do the best we can but not let it grind us down.

I enjoyed reading and happen to agree with all three articles, but regardless of how true they ring, they cannot all be simultaneously right. So what's really going on? Is our cynicism an accurate reflection of reality?

Certainly any single cybersecurity professional, or any single organization, cannot survive the wild west we currently inhabit. But regardless of how far away from broad concensus on solutions we may be, I think that everyone on the side of the white hats will agree that the current situation cannot go on. To continue borrowing metaphors from other disciplines, economist Herbert Stein observed that "if something cannot go on forever, it will stop." While we are never likely to attain a complete mitigation of security threats - after all, despite decades of effort, in the United States we accept around 35,000 traffic deaths annually as "normal" - history repeatedly shows that in the face of collective threats, populations will eventually achieve, through some combination of market forces and central control, a state we can put up with. The current situation cannot go on forever, and so we will make it stop.

Therefore, I think that all our common formulations are correct but incomplete. We will not solve our problems with a single approach, nor are we doomed to go on with the good fight in spite of knowing we will fail. Although our effort will go on for years and decades, the belief that must sustain us is that, in the fullness of time, the sum of the security efforts of all who prize order over chaos will enable us to take door number 4, then look back and say "I survived the bad old days."