← Back to Library

Not getting incentives right can kill a security initiative or a security startup

By Ross Haleliuk · Venture in Security · · 10 min read

Deep Dives

Explore related topics with these Wikipedia articles, rewritten for enjoyable reading:

  • Principal–agent problem 12 min read

    The article's core argument about misaligned incentives between security teams and other departments is a direct application of this foundational economics concept, which explains how conflicts arise when one party (agent) makes decisions on behalf of another (principal)

  • Goodhart's law 17 min read

    The article discusses how KPIs and metrics drive behavior ('what gets measured gets done'), which directly relates to Goodhart's observation that when a measure becomes a target, it ceases to be a good measure - explaining why IT closes tickets fast rather than securely

  • Moral hazard 1 min read

    The article describes situations where parties are insulated from security consequences (engineers ship fast, IT closes tickets quickly) because they don't bear the risk of breaches - a classic moral hazard scenario from economics and insurance theory

I have been thinking about this topic for a while, and I am glad I have finally found the time to gather my thoughts into an article. I feel like it’s pretty rare to see people discuss incentives in cybersecurity (except for my friend Chris Hughes, who emphasizes this topic frequently in his blog and on LinkedIn). This is quite surprising given that everything in our industry centers around incentives. In this piece, I share some thoughts about this problem, discuss what I think are its most important aspects, and why more people should care.

This issue is brought to you by… Intruder.

As AI Enables Bad Actors, How Are 3,000+ Teams Responding?

Shadow IT, supply chains, and cloud sprawl are expanding attack surfaces - and AI is helping attackers exploit weaknesses faster. Built on insights from 3,000+ organizations, Intruder’s 2025 Exposure Management Index reveals how defenders are adapting.

  • High-severity vulns are up nearly 20% since 2024.

  • Small teams fix faster than larger ones - but the gap’s closing.

  • Software companies lead, fixing criticals in just 13 days.

Get the full analysis and see where defenders stand in 2025.

Incentives define how different departments prioritize security

If you read Verizon DBIR, CrowdStrike report, or any of the other credible, regularly produced reports about the root causes of breaches, or even if you simply follow the news, you’ll notice a consistent pattern:

  1. Most breaches aren’t caused by some novel technology like AI or blockchain, nor are they the result of mysterious, never seen before zero-days.

  2. The vast majority of security problems are not really security problems; they are problems that originate in other types of organizations and introduce security risks.

To put it differently, the vast majority of all the breaches happen because of some basic and boring problems. Someone forgot to change the password. Someone wasn’t able to track all the assets in a centralized system. Someone decided to grant a contractor more permissions than they needed, but forgot to revoke access when the contractor left. This list can go on and on, but the fact that matters here is that most of the time, what gets companies breached is something the security team can’t fix on their own. It is what my friend Yaron Levi calls “lack of operational discipline”.

None of this is rocket science, and anyone who has worked in security for over ...

Read full article on Venture in Security →

This excerpt is provided for preview purposes. Full article content is available on the original publication.