Zombie Vivification

Poll a dozen security professionals, and you’re likely to hear most of them opine that cybersecurity is getting worse. By calling it “cybersecurity,” you’ll also get a dozen opinions about why we shouldn’t use the cyber– prefix, but that’s a story for another day.

By and large, I agree. Cybersecurity is getting worse. Breaches no longer even make major headlines. Cars and insulin pumps are the subject of recall and regulation. So many vulnerabilities are disclosed in a year that the Common Vulnerabilities and Exposures (CVE) framework had to go to a 5-digit numbering system for each year’s vulnerabilities.

But this is a good thing. When our net cybersecurity exposure starts going down, it probably means our pace of innovation and development around networked technologies will have also dropped. Why are these correlated? Zombies, and the Peltzman effect.

Much of our technology innovation comes from startups – businesses that already exist in a state of significant risk. While we might consider that established businesses can be modeled like humans, startups more closely resemble the walking dead. Like zombies, they are shambling to avoid death, unlike humans and corporations, which strive to perpetuate themselves.

Risk compensation — the Peltzman effect — teaches us that humans, when presented with a change in their perceived risk, will act in opposition to that change. When the world becomes riskier, humans play it safe. When the world becomes safer, humans take on more risk.

A startup, as a zombie, isn’t an entity at risk of failure. It’s an entity that is already, by definition, failing — once a startup is healthy, we no longer think of it as a startup. And since a startup already knows its date of demise, existential risks don’t matter anymore – and trying to play it safe would only make matters worse. Like a zombie, a startup’s best play is to ignore any risk to its life, and focus on risks to feeding itself. The nicks and bruises and technical debt that it accumulates can only matter if it first survives.

Zombies don’t feed if they play it safe; faster, more aggressive zombies get the brains first. Startups need to operate in the same model (hopefully pursuing revenue instead of brains). It’s only when startups (or zombies) become alive that the risky choices come back to haunt them.

It’s those risky choices made by successful startups that we inherit. Those risky choices become the cybersecurity risks that we all shake our heads and wonder, “why would anyone make these choices?” The startups that didn’t make those choices didn’t survive.