I’ve noticed something over the years. No matter how complex the conversation gets, no matter how many tools, frameworks, or reports get pulled into the room, it always comes back to one simple question.
Who is doing what on your network?
Not eventually. Not after a few hours of digging. Not once someone has time to piece it together. Right now. And the funny thing is, people don’t usually start there. They start with what feels like bigger, more important questions. Are we exposed? Are we under attack? Are we safe and compliant? Those are the questions that show up in meetings, in board decks, and in status updates. But if you sit with them for a minute, answering them is often not that simple.
Not eventually. Not after a few hours of digging. Not once someone has time to piece it together. Right now. And the funny thing is, people don’t usually start there. They start with what feels like bigger, more important questions. Are we exposed? Are we under attack? Are we safe and compliant? Those are the questions that show up in meetings, in board decks, and in status updates. But if you sit with them for a minute, answering them is often not that simple.
Take “Are we exposed?” That sounds like a big, serious question. It usually leads to lists. Risks. Scores. Priorities. But underneath all of that, what people are really trying to understand is much simpler. Who has access to what? Who shouldn’t? What’s connected that we didn’t expect? What is talking to what, and does that make sense? You can dress it up however you want, but it always comes back to whether you truly know who is doing what on your network.
Then there’s “Are we under attack?” That one tends to create a lot of urgency. Things start lighting up. People start asking for updates. But if you strip away the emotion, the question is surprisingly basic. Is someone doing something they shouldn’t be doing? Not in theory. Not based on a rule firing somewhere. But in reality, on your network, across your systems, in the way things are actually behaving. Who logged in? What did they do next? Did it make sense? Could you explain it to someone else with complete confidence?
And then you get to the question everyone eventually asks: are we safe, are we compliant? That’s the one that carries the most weight. It sounds like it should have a clear, confident answer. But it rarely does. Because it’s not really asking what you’ve put in place. It’s asking whether you understand what’s happening well enough to stand behind it. Can you show who accessed what, and when? Can you explain how access is being used, not just how it’s supposed to be used? If someone asked you to walk through what happened yesterday, could you do it cleanly, without filling in blanks? Most of the time, that’s where things get a little quiet.
What I find interesting is that none of these questions are actually different. They just show up wearing different clothes. Risk, activity, compliance, they all sound like separate conversations, but they depend on the same thing. Whether you have a clear, continuous understanding of who is doing what across your network.
And that’s the part that tends to get lost.
Not because people don’t care. Not because teams aren’t working hard. If anything, it’s the opposite. There’s effort everywhere. There’s data everywhere. There’s no shortage of information. But there’s a difference between having information and understanding. Between collecting activity and being able to explain it. Between seeing pieces and seeing the whole.
So, what ends up happening is familiar. People piece things together. They check multiple places. They validate, revalidate, and then sanity check again. Eventually, they get an answer. Or at least something close enough to an answer to move forward. And to be fair, sometimes that’s enough.
But it’s also why those same questions keep coming back. Why “Are we exposed?” doesn’t stay answered. Why “Are we under attack?” never fully settles. Why “Are we safe?” is always followed by a pause. Because the real question who is doing what on your network is something that requires continuous questioning and continuous understanding
It’s not a flashy question. It doesn’t make a great headline. But it’s the one everything else depends on. And if you can answer it cleanly, without stitching things together, without second-guessing, without needing time to figure it out, most of the other questions get a lot easier.
If you can’t, they don’t.
You can find more blogs from Mark Wojtasiak, here.
And, catch him regularly on the Hunt Club Podcast, Cyber Minds Show.