Skin in the game for cybersecurity
What's "Skin in the game"?
"Skin in the game" is a phrase popularized by Nassim Nicholas Taleb in his book of the same name.
At its core, it refers to having a personal stake or investment in a particular outcome, ensuring that one shares in the risks as well as the rewards. The idea is that when individuals have something to lose, they behave differently and often more responsibly than when they have no personal stake.
Imagine if ..
- Pentest companies paid your company for not finding critical, high, or medium vulnerabilities;
- A security scanner tool became cheaper in proportion to the number of false positives and false negatives;
- Security companies covered customer damages from hacking/breaches that should have been identified during their assessments.
It would be great... but for whom exactly?
Why would security companies even offer these conditions to customers when they already purchase without them?
From a business perspective, it makes sense for security companies not to offer these incentives. To some extent, I think.
At my company, we decided to align the incentives from the start. It feels great to stand by your own work and be held accountable for your performance.
We just launched the True Shift Left program — a security initiative that boosts your security by design, or the customer gets a full refund.
That's a wrap.
I would be thrilled to see "skin in the game" applied universally, removing the asymmetry of acting on behalf of others without bearing responsibility for it.