Governance gaps, misaligned incentives, and profit-first mindsets leave even well-funded organisations vulnerable in the age of AI and digital supply chains
Enterprise governance pitfalls and economic ‘irrationality’ do not help align the theoretical optimal outcome with the observed practical cybersecurity outcome.
Image: Shutterstock
It is a well-known fact that cyber adversaries have been significantly ahead to date in terms of capabilities and strategy to outclass defenders of digital infrastructure. One can only infer with high confidence that this adversary-defender gap will only increase in the age of converged digital infrastructure, where IoT and AI intersect, with nation-state adversaries eyeing opportunities to leverage cyber advantages. In short, geopolitics is increasingly having a greater cyber footprint than ever before, and it is not long before nation-state wars to cripple economies will be fought more using laptops than arms.
However, in theory, it is not the case that the defender side cannot muster resources high enough to fight cyber adversaries and overpower them; quite the opposite is true. Most enterprises within a digital supply chain network have adequate budgets to enhance cybersecurity across the dimensions of people, process, and technology, to the extent that adversaries will find it challenging to penetrate enterprise defences. In practice, however, the case is that enterprise governance pitfalls and economic ‘irrationality’ do not help align the theoretical optimal outcome with the observed practical cybersecurity outcome.
Motivated by the works of the Nobel laureates, Daron Acemoglu (MIT), James Robinson (University of Chicago), and Simon Johnson (MIT); ideas from a talk given by Simon Johnson in the recently organised AI and cybersecurity event (May, 2025) at the MIT Sloan School of Management; ideas from a seminar organised by the Shaping the Future of Work initiative (January 2025) of the departments of Economics and Applied Economics at MIT, and multi-year long discussions with MIT CAMS corporate members, we view the theory-practice cybersecurity outcome gap through the lens of institutional governance ideas proposed by Acemoglu, Johnson, and Robinson in their books Why Nations Fail: The Origins of Power, Prosperity, and Poverty, and Power and Progress. We also propose managerial and government action items to reduce this theory-practice gap and eventually pave the way to realise the Indian dream of a “surakshit and viksit Bharat”; not only a “viksit Bharat”.
The board and upper management in many enterprises (especially SMEs) often ‘force’ their ‘labour’ (employees in various divisions) to only spend effort on things that increase the profits of the enterprise via selling application products that please customers – rather than making a product that is marginally less pleasing but increasingly robust in cybersecurity. The promotion, compensation, and perk structure is so built within an enterprise that profit-minded employees find it more rational to focus on meeting performance and profit targets than pushing cybersecurity to the top of their work agenda. In addition, in the event of a cyber breach, and in the age of the digital supply chain where technology products are assembled from parts provided through a supply chain network (consisting mostly of SMEs), managements can often (mutually) transfer breach liabilities to companies on the supply chain in the absence of strong liability regulations and limited supply chain visibility as is the status quo.
Nearly all software-driven organisations today consist of employees in a tiled playing field (i.e., the organisation) that is not well aligned with cybersecurity boosting objectives. The supply-demand dynamics (market equilibrium) of labour are such that the most creative and technically innovative employees choose roles in software development for products whose value is of most importance to venture capitalists and enterprise shareholders. These employees are paid well, are usually the top talent from the institutions from which they are hired, and are more interested in innovating rather than adding a layer of security over the innovation. The relatively less innovative and coding-competent employee (or the average expert risk manager) is put in cybersecurity roles (add to this the reason that cybersecurity roles can be monotonous and boring to attract top talent, and companies usually lack sufficient awareness to make such jobs very interesting) and are paid comparatively less. Even if the pay is high (as in the USA), the best talents usually do not find a fit in cybersecurity roles. This is in complete contrast to the principles laid down in the legendary and seminal “The Mythical Man Month,” authored by Fred Brooks, who states that fewer, but highly skilled, coding talents should be invested in by enterprise management for the most business-critical applications. Cybersecurity today is a critical application that integrates AI, data, and software complexities, which compound the complexities of existing software systems.
[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]