Press "Enter" to skip to content

Incentives drive security behavior

At the RSA conference this week, the SolarWinds CEO discussed how the further investigation of the breach of the company reveals that the attackers began probing as early as January 2019, meaning they were undetected for nearly two years.   He also expressed regrets over the former CEO blaming an intern.

The company has created the Orion Assistance Program, which helps with planning and advice for restoration of service.  

And while we’re covering statements from executives, Apple’s senior vice president of software engineering testified in the Epic trial.    His key quote “If you took Mac security techniques and applied them to the iOS ecosystem, with all those devices, all that value, it would get run over to a degree dramatically worse than is already happening on the Mac. And as I say, today, we have a level of malware on the Mac that we don’t find acceptable and is much worse than iOS

And speaking of vectors, Microsoft is retiring Internet Explorer next summer, officially.  Finally.  

Why do we care?

I’m focused a lot on incentives lately and will be building on that idea in an upcoming editorial.     Of course they have an Assistance program.  That makes a ton of sense, as they don’t want customers to abandon the product.   That statement doesn’t detract from it being a smart move, just take it for what it is: customer retention.    That’s different from accountability.

It’s interesting to contrast that with Apple’s approach on iOS versus the Mac.   When given the choice, they’re incentivized to keep the App store secure on iOS as it maintains the security…. And it maintains their profitability.    They’re making that security a paid feature.   I’ll acknowledge it comes with an offset downside in restricting the types of stores and the way they enforce security.  There’s a healthy debate to be had about monopolies here too, but from an incentive perspective, it’s an example of how the alignment matters.  

And that’s why we care and contrast these two.    Let’s spend more time thinking about the incentive structures.