On incentives, responsibility, and why security speeds up when we stop holding it back
I've often heard that "people are the weakest link". I don't buy it anymore. Not as the sole reason why incidents happen. When I look beyond the headlines, I see something else at the root of why individuals are a weak link: the environment around the person. The organisation's climate. How we measure, reward, and build. That's where security either takes root or withers and becomes insecurity. If a plant doesn't grow, a skilled grower first looks at the soil, light, and water—not the plant. We should do the same.
In many organisations, we reward speed, expansion, and quarterly targets. There's nothing wrong with that in itself. But security often follows a different logic: it's not rewarded when nothing happens. Nothing is visible. No points on the board. And I've sat in countless boardrooms seeing someone clear their throat and say "stop, wait, risk". That person is seen as a brake, sometimes even an outcast. I've witnessed good people doing rational things within an incentive system that makes security invisible and unnoticed. It's almost like security has become electricity in households — it just has to work. That's why I flip the perspective: the problem is rarely the individual, the problem is the climate we placed them in (OECD, 2022; World Economic Forum, 2024).
This is sensitive, I know. Because if the climate is the problem, the compass points to leadership and governance. It's not primarily about another campaign or a new tool, but about how we lead, measure, and allocate responsibility. Public guidelines essentially say the same. The European Union's new regulations make cyber a board-level issue: management must understand risk, weigh proportionality, and make decisions when under pressure (European Union, 2022). US authorities emphasise "secure by default", shifting responsibility upstream to those who design and deliver, rather than offloading it onto end users (CISA, 2023). It's a polite way of saying: fix the climate, not the poster. And no, it's not about technology fixing the human firewall's shortcomings. But it supports a secure culture.
Why do I push this so strongly? Because I see the cost of the old compliance-driven mindset. Checklists and certificates have their place, but only as a foundation. They provide form. Traceability. But when incentives reward speed without risk categorisation, documents become mere facades, security theatre. We tick boxes but don't reduce risk. We add another layer, write another policy, believing that stacked evidence replaces capability. Public reports show the same trend: attacks often start in the human daily workflow and surrounding chain. More gadgets won't help if the climate still favours shortcuts and speed over the painful controls (ENISA, 2023).
I know the word "culture" can feel fluffy. That's why I prefer to talk about managed incentives. What happens when a sales manager earns recognition for closing deals securely, not just quickly? When a product owner gains career points for choosing a secure standard component over a "quick fix" or "cheapest option"? When is a manager measured on recovery time as much as delivery dates? That's when the climate changes, I firmly believe. And it can be done without slogans or costly bonus schemes. The OECD's updated recommendations link digital security to economic risk management integrated into governance and decisions, not beside them (OECD, 2022). The World Economic Forum describes the same shift: boards that integrate cyber into business risk make better decisions, face fewer surprises, and gain more market trust (World Economic Forum, 2024). So it should be part of the job description, the individual's requirement. Especially if that individual wants to be a leader and responsible.
We also need to be honest about why organisations sometimes work against their own security. We create friction where speed is rewarded and security punished. Security is a cost and negatively impacts turnover in that environment. We create dependencies where no one owns the full risk. We create false security with countless dashboards featuring dubious risk models, flows, and processes that make timely detection impossible and do not help visualise the organisation's resilience and recovery ability at all. This isn't a moral or ethical issue. It's an incentive issue. When suppliers, customers, and internal teams share data, responsibility, and goals, the game changes. It's no coincidence the EU is now introducing product requirements for digital products. Security should be present before the market, not added afterwards (European Commission, 2024). Nor is it a coincidence that national reports emphasise holistic approaches: people, processes, technology, and suppliers working together, not separately (ENISA, 2023).
"But won't this hinder our growth?" is a common objection. My experience says the opposite. When the climate supports the right pace at the right time, everything speeds up over time. We avoid fire drills. Costly rework. Blame games instead of solutions. And yes, there's business value intrust in the organisation's and operation's capability. Organisations that make security a career merit, a mark of quality, a trust score make better decisions faster, have less internal friction and become more reliable partners. This isn't just nice words. It's reflected in how capital, customers, and talent move towards those delivering stability rather than a sense of control (World Economic Forum, 2024).
I use the greenhouse metaphor deliberately, even strategically. For me, cybersecurity isn't a shimmering plant we stumble upon on the path to growth. It is the greenhouse. Without the right climate, nothing sustainable grows. With the right climate, everything grows faster. That's why I get tired when someone says "people are weak" but then doesn't nurture that weakness. People do as the climate teaches and won't become the safest link. Change the climate, change the behaviour. It's about owners, boards, and leadership. But it's also the good news: when the top changes the climate, the rest follows.
The bottom line is simple. We can keep measuring how fast we go. Or we measure how safely we arrive, time and again. I choose the latter. Not because I dislike brakes, or am old-fashioned, or afraid to accelerate. No, because I like speed that lasts and no rush to bankruptcy. It's the difference between blaming "people" and doing the work with the environment. When we do that, both security and business grow. And that's exactly what public recommendations and new regulations are steering us towards: less ritual, more resilience (European Union, 2022; CISA, 2023; European Commission, 2024; OECD, 2022; ENISA, 2023; World Economic Forum, 2024).
References (APA – selection)
CISA. (2023).Secure by Design, Secure by Default.Cybersecurity and Infrastructure Security Agency.
ENISA. (2023).ENISA Threat Landscape 2023.European Union Agency for Cybersecurity.
European Commission. (2024).Regulation (EU) 2024/2847 — Cyber Resilience Act (CRA).
European Union. (2022).Directive (EU) 2022/2555 (NIS2).Official Journal L 333.
OECD. (2022).Recommendation of the Council on Digital Security Risk Management.
World Economic Forum. (2024).Global Cybersecurity Outlook 2024.
