“Show me the incentive and I will show you the outcome.”
— Charlie Munger
Have you heard the one about how all the viruses are written by the antivirus companies? This joke makes the rounds at cocktail parties because it strikes the right balance between being absurd and making cynical sense. More viruses means more demand for antivirus, right? So the antivirus companies must be making all the viruses! While baseless in reality, this caricature highlights a fundamental problem in cybersecurity: misalignment of incentives.
Remember when your car gave you trouble and your mechanic couldn’t seem to fix it permanently? Every few months it seems like the issue would reoccur, but your mechanic insisted they fixed it right the first time and this is a different issue now even though it looks/sounds the same to you. You choose to believe them, but you are aware that every time one of these “new” issues comes up, your mechanic gets more money from you. We’ve all been there. I’ve had an “arm bush” replaced only to replace the “mounting” just two weeks later – apparently both definitely needed replacing. It’s just one of life’s annoyances that we’ve gotten used to, because there’s no choice but to live with it.
Now imagine that annoyance scaled out across a fleet of corporate jets.
Power by the Hour.
It’s the 1960s and you’ve developed a very cost-efficient aircraft engine. A side-effect of the low-cost design is that it suffers recurring maintenance issues (none catastrophic, but they still need attention). So how do you assuage customer concerns about this literally high-maintenance product? You invent the “Power by the Hour” model.
With “Power by the Hour”, as the buyer of engine maintenance, you pay Rolls Royce only for time that the engine is running. That means engine downtime is a cost to Rolls Royce, so there is an alignment of incentives: the longer the engine is in a runnable state, the happier the customer is, and the more money the mechanic makes. Incentives are aligned so it’s a win-win and everyone is happy.
This application of the “pay for what you eat” model to a loss-minimisation problem was well ahead of it’s time, but today it is considered a classic example of performance-based contracting.
Misaligned incentives in cybersecurity.
Every cybersecurity vendor experiences a moment of happy excitement when their product is seen to stop an attack on a customer. This is understandable. But consider an analogy, would you feel happy the day your home alarm scared burglars away? Most people would be freaked out that someone tried to get in. It’s good that you had the alarm system and it did its job because if the alarm were not there (or did not work) then you would have had a burglar in your home, but nevertheless it is a misalignment of incentives to find that someone who is supposed to be on your side – i.e. the home security service provider – gains a benefit when you are attacked.
Cybersecurity buyers like to complain about “alert fatigue”, but from anecdotal evidence I think there needs to be some baseline level of alerts in order to secure renewals and expansions because otherwise most contemporary buyers don’t see value. Home alarm systems come at a cost, and if yours hasn’t triggered in a year and the general sense is that your neighbourhood has become safer, then why wouldn’t you consider cancelling your service and spending the money on a family vacation?
So if you’re the home alarm company, it’s not to your benefit for neighbourhoods to become safer because with your business model, you don’t get paid to make people safe or even to make them feel safer. You are paid for alerts. The more alerts, the more you benefit.
Cyber Power by the Hour.
Cybersecurity is a trickier problem than engine uptime because:
- Performance is harder to define in this context. What is a breach? How do you measure the impact of a breach?
- Driving performance would most likely require invasive controls. You don’t just go pick up an engine and take it back to your workshop (and optionally leave a spare engine with the customer). To do cybersecurity, you generally need to be embedded in the front-line.
If (and I acknowledge this is a huge if) the above two points can be sufficiently addressed, then how would you structure a performance-based holistic solution to cybersecurity? The easiest model I can imagine is “pay me $1M per year to take care of your cybersecurity and I will pay you back $250k every time I fail”. Astute readers will point out penalties for non-performance are standard in many major IT procurement programs, but I’m not taking about failure to deliver on-time or on-spec, I’m talking about a payout on occurrence of a breach (however breach is defined).
If this model of “pay me X and I will pay you Y when Z happens” sounds familiar, it’s because that’s basically how insurance works. Getting to Cyber Power by the Hour requires a further step: the insurance company is responsible for providing your cybersecurity. Then it’s “pay me X and I will pay you Y when Z happens but I’m going to do everything I can to prevent Z so that I can minimise Y.”
Presumably the more control you hand over to the insurance company, the lower X is (or the higher Y). On a fundamental business structure level I believe insurance is already well matched to a performance-based approach for cybersecurity. Plus they have the actuarial rigour and discipline to back it up with risk and pricing models, not to mention the float to offer such a product without a beyond-obscene amount of venture capital.
But, there’s a gap in the cybersecurity delivery side of things:
- How to define performance? The insurance industry has tonnes of experience with this issue in a general sense (e.g. was your house destroyed by water damage or a hurricane). Applying it to cybersecurity will obviously take a lot of effort, but I think it can be done for the most part. The problem is some attacks may be hard to detect/recognise, e.g. industrial espionage.
- How to deliver performance? What controls do you mandate? What is the economic impact (e.g. on productivity) of these controls? How are these controls implemented and enforced, and by whom? The insurance industry has some experience with this in a general sense (e.g. they may give you a health checkup as a prerequisite to health/life insurance, or make you stick a tracking device in your car for vehicle insurance) but it’s definitely a qualitatively different ballgame with cybersecurity controls.
As they say, the devil is in the details and cybersecurity is a field that is especially unforgiving of ignoring the details. So we shall see if the insurance industry is willing and able to seize this opportunity to move beyond alerts and incident response, and pay more attention to controls and interventions that move the needle at a far higher level than the average enterprise can even catch a whiff of. Maybe you could focus your efforts on controls like convincing Barrack Obama to have a frank word with Xi Jinping, then you can sit back and reap the increased profits due to reduced breach payouts that naturally flow on from a reduction in APT attacks.
Suddenly you’re in the business of safer neighbourhoods. Imagine that.