From the Board Room to IT cubicles, security professionals are pouring over the latest wave of reports showing the pace of data breaches isn’t slowing. In fact, UK-based Juniper Research projects the global economic impact of cyber crimes will grow to $2.1 trillion in the next three years. That’s not a typo – TRILLION, with a T.

Reports from Cisco, Dell, Verizon, Google, AT&T, IBM and others paint a similar picture and it is not museum quality art. It’s ugly. For instance:

• 85% of successful exploits involve the Top 10 known vulnerabilities that have never been patched despite fixes being available for months or years.- Verizon
• Healthcare is now the largest target of attacks, passing financial services – IBM
• WordPress websites saw a triple digit increase in successful attacks: 221% – Cisco

The news doesn’t get better when you look at 2016 data through early May. According to the US-based Identity Theft Resource Center, data breach reports are up 40% over 2015’s pace – a record-setting year for the compromise of business and consumer records.

All of this begs a very simple question: With tens of billions of currency invested in cyber security each year, why does this continue to happen?

Like most simple questions, there is not a simple answer. From human behavior (we’re hard-wired to answer questions even if it means compromising security) to an over-reliance on traditional solutions (most attacks are aimed at the application level, but most of the resources are tied to network defenses), organizations simply cannot keep pace with those who would steal our treasure or do us harm.

A part of the solution is to rapidly shift attention to emerging technologies instead of aging defenses that can (obviously) be easily defeated, are difficult to install/operate and create as many issues as they solve. Web Application Firewalls (WAFs), I’m looking at you.

New technologies using virtualization – Runtime Application Self-Protection or RASP, for example – solve many of the issues inherent in the current generation of application security products. No false positives, no added appliances, no tuning, no code changes, and little to no performance overhead. No need to grind everything to halt to add the latest Java Critical Patch Update – you can apply the update using virtual patching in minutes instead of days, weeks or, as Verizon noted above, months or years.