Who watches the watchmen?

The phrase comes from Watchmen, but it has always carried a much wider meaning.

It is a question about oversight.
About blind spots.
About what happens when responsibility is assumed rather than verified.

In cybersecurity, that question is becoming increasingly relevant.

Not because organisations lack tools.
Not because analysts lack skill.
But because modern security operations quietly introduce gaps that are easy to miss until something goes wrong.

When analysts investigate, they leave the platform

In theory, alerts arrive, are analysed, and are resolved inside a single security environment.

In reality, that is rarely how investigation works.

An alert fires.
An analyst opens a browser.
They search for context, threat intelligence, IP reputation, recent activity.
Tabs multiply. Notes are copied. Comparisons are made. Decisions are formed across multiple tools.

This behaviour is entirely rational. It is how human investigation works.

But it introduces something important that rarely gets discussed.

Context switching.

Every time an analyst leaves the primary security platform, investigation becomes slower, more fragmented, and harder to observe as a single, coherent process.

Over time, patterns form.
Response rhythms emerge.
Delays become predictable.

And attackers pay attention to patterns.

Attackers study process, not just vulnerabilities

There is a tendency to focus on technical entry points. Zero days. Phishing campaigns. Misconfigurations.

Those matter. But they are not the whole story.

Modern attackers are patient. They observe how environments respond, not just how they are breached.

They learn how long alerts take to be reviewed.
They learn when investigation slows.
They learn where noise hides signal.

When response relies heavily on manual triage and human context gathering, dwell time increases.
And dwell time is where damage happens.

This is not a failure of people.
It is a consequence of process design.

Outsourcing security does not outsource accountability

A second blind spot appears when organisations rely heavily on external SOC providers.

Outsourcing is often framed as a clean handover. Monitoring is someone else’s job. Investigation is handled elsewhere. Responsibility feels shared.

In practice, accountability never leaves the organisation.

If data is exfiltrated, it is the organisation that answers to regulators.
If services go down, it is the organisation that faces operational disruption.
If trust is damaged, it is the organisation that has to rebuild it.

The question is not whether a provider is competent.
The question is visibility.

How does an organisation know what is being seen and what is being missed?
How are gaps identified in real time rather than after an incident report is written?
What feedback loop exists when something does not look right?

Oversight without visibility is an illusion.

Watching the watchmen without blame

None of this is about fault.

Security analysts are under pressure. Alert volumes are high. Skills are scarce. Expectations continue to rise.

Service providers operate at scale and under strict SLAs. They optimise for efficiency, not perfection.

The issue is not people.
It is that many security models still rely on assumptions rather than evidence.

Assumptions that alerts are seen quickly.
Assumptions that investigation is consistent.
Assumptions that visibility is complete.

Good oversight does not slow teams down.
It reduces uncertainty.

It replaces trust alone with clarity.

The question that matters most

Organisations often ask whether their security stack is strong enough.

A better question is simpler.

How quickly would you know if something was wrong?
And how confident are you in what you can see while it is happening?

In cybersecurity, the most damaging blind spots are not technical.
They are the ones we assume no longer exist.

That is why the old question still matters.

Who watches the watchmen?

This article is the first in a short series exploring where modern security operations create blind spots, and how organisations can reduce them.

‍