**A must-read for all my friends building in security (so, all my friends) is yesterday’s [Ross] newsletter.
The main point: people will always do what they’re incentivized to do.
I’ve been obsessed with this thesis for years, and Ross distilled it perfectly for cyber: almost no one is actually incentivized by security practices.
How can we know what someone’s incentives are? Ask yourself a simple question: what makes them get promoted? fired? shouted at?
It’s easy to demonstrate with security teams. Similar to IT teams, they are incentivized to close as many tickets as possible, as quickly as possible, without making people mad. Their KPI is “velocity of ticket resolution,” not “reducing attack surface.” It’s actually firefighting, not fire prevention.
Real change requires alignment of incentives across the organization, which rarely happens until a major event forces new priorities. It can be a security breach, but can also be “let be more data driven” or “we have to have AI in our product!”
In the race for AI adoption, we see the same pattern. Organizations are rushing to implement AI, often without proper tools or infra to make sure they’re doing it responsibly. It’s not because their engineers aren’t good, but because they have no incentives to make it safer.
The real question: how we can radically realign business incentives with security and safety, when every other force is pushing the opposite way.
Step one - acknowledge that incentives are the one true king. Step two will be to learn how to use them.