30 Indian Minds Leading the AI Revolution

Why does cybersecurity management in enterprises fail?

Governance gaps, misaligned incentives, and profit-first mindsets leave even well-funded organisations vulnerable in the age of AI and digital supply chains

By Ranjan Pal , Bodhibrata Nag and Ekta Jain

Published: Jul 2, 2025 02:52:33 PM IST

Updated: Jul 2, 2025 02:59:29 PM IST

Enterprise governance pitfalls and economic ‘irrationality’ do not help align the theoretical optimal outcome with the observed practical cybersecurity outcome. Image: Shutterstock

It is a well-known fact that cyber adversaries have been significantly ahead to date in terms of capabilities and strategy to outclass defenders of digital infrastructure. One can only infer with high confidence that this adversary-defender gap will only increase in the age of converged digital infrastructure, where IoT and AI intersect, with nation-state adversaries eyeing opportunities to leverage cyber advantages. In short, geopolitics is increasingly having a greater cyber footprint than ever before, and it is not long before nation-state wars to cripple economies will be fought more using laptops than arms.

However, in theory, it is not the case that the defender side cannot muster resources high enough to fight cyber adversaries and overpower them; quite the opposite is true. Most enterprises within a digital supply chain network have adequate budgets to enhance cybersecurity across the dimensions of people, process, and technology, to the extent that adversaries will find it challenging to penetrate enterprise defences. In practice, however, the case is that enterprise governance pitfalls and economic ‘irrationality’ do not help align the theoretical optimal outcome with the observed practical cybersecurity outcome.

Motivated by the works of the Nobel laureates, Daron Acemoglu (MIT), James Robinson (University of Chicago), and Simon Johnson (MIT); ideas from a talk given by Simon Johnson in the recently organised AI and cybersecurity event (May, 2025) at the MIT Sloan School of Management; ideas from a seminar organised by the Shaping the Future of Work initiative (January 2025) of the departments of Economics and Applied Economics at MIT, and multi-year long discussions with MIT CAMS corporate members, we view the theory-practice cybersecurity outcome gap through the lens of institutional governance ideas proposed by Acemoglu, Johnson, and Robinson in their books Why Nations Fail: The Origins of Power, Prosperity, and Poverty, and Power and Progress. We also propose managerial and government action items to reduce this theory-practice gap and eventually pave the way to realise the Indian dream of a “surakshit and viksit Bharat”; not only a “viksit Bharat”.

Reasons Why Enterprise Cybersecurity Management Fails

Most enterprises (around the globe), viewed as corporate institutions from the lens of work by the 2025 Nobel laureates in economics, are led by boards and upper management that provide insufficient “cybersecurity boosting rights” to lower-level management groups to be creative, autonomous, and productive in focussing on boosting enterprise cybersecurity while making products through the principle of “baking in cybersecurity by design”. While governance awareness is steadily increasing over time, the gap between a close-knit interdepartmental coherence and vision to integrate cybersecurity into products, and the current status quo of patching cybersecurity, is significant for most global enterprises, and more so for small and medium enterprises (SMEs).

The board and upper management in many enterprises (especially SMEs) often ‘force’ their ‘labour’ (employees in various divisions) to only spend effort on things that increase the profits of the enterprise via selling application products that please customers – rather than making a product that is marginally less pleasing but increasingly robust in cybersecurity. The promotion, compensation, and perk structure is so built within an enterprise that profit-minded employees find it more rational to focus on meeting performance and profit targets than pushing cybersecurity to the top of their work agenda. In addition, in the event of a cyber breach, and in the age of the digital supply chain where technology products are assembled from parts provided through a supply chain network (consisting mostly of SMEs), managements can often (mutually) transfer breach liabilities to companies on the supply chain in the absence of strong liability regulations and limited supply chain visibility as is the status quo.

Nearly all software-driven organisations today consist of employees in a tiled playing field (i.e., the organisation) that is not well aligned with cybersecurity boosting objectives. The supply-demand dynamics (market equilibrium) of labour are such that the most creative and technically innovative employees choose roles in software development for products whose value is of most importance to venture capitalists and enterprise shareholders. These employees are paid well, are usually the top talent from the institutions from which they are hired, and are more interested in innovating rather than adding a layer of security over the innovation. The relatively less innovative and coding-competent employee (or the average expert risk manager) is put in cybersecurity roles (add to this the reason that cybersecurity roles can be monotonous and boring to attract top talent, and companies usually lack sufficient awareness to make such jobs very interesting) and are paid comparatively less. Even if the pay is high (as in the USA), the best talents usually do not find a fit in cybersecurity roles. This is in complete contrast to the principles laid down in the legendary and seminal “The Mythical Man Month,” authored by Fred Brooks, who states that fewer, but highly skilled, coding talents should be invested in by enterprise management for the most business-critical applications. Cybersecurity today is a critical application that integrates AI, data, and software complexities, which compound the complexities of existing software systems.

The enterprise world is primarily profit-driven, and more so in the private sector. The ‘elitist’ board and upper management (i.e., the big corporate men) are the greedy, myopically visionary bunch who control how capital is going to flow from investors/consumers into an enterprise. They often create business thought monopolies wherein product innovation rules and drives the day-to-day operations of a digitally driven company. Unless the business product under consideration is cybersecurity-focused, most C-suites and boards tend to prioritise product or service cybersecurity as a secondary concern. Only very few corporations are keen to invest in deploying and integrating disruptive and novel cybersecurity technologies invented by industry and academia on a periodic and rolling basis into their services and products. They are overly myopic in targeting short-term profit rather than playing the infinite game of long-term profit, which is significantly higher if one incorporates cybersecurity into the (people, process, technology) triplet. As a result, these ‘big corporate men’ hire people to lead divisions who share their similar views. In addition, they are behaviorally biased in terms of underestimating cyber risk and realising proper risk-reward trade-offs that subsequently lead them to miscalculate business disruption impact on revenues and consumer base that can subsequently result post a cyber-attack. Moreover, there is only weak institutional security governance by global governments in their corporate sectors, focusing on cybersecurity.

The five reasons, when combined, result in a digitally driven ecosystem of enterprises where cybersecurity is severely suboptimal in most individual enterprises (which are usually small and medium-sized) and their global supply chain networks. This has led to multiple systemic cyber incidents in the last decade with near catastrophic economic and societal impact, with nation state adversaries leveraging enterprise network cyber loopholes to cripple businesses.

Also read: How to manage GenAI cyber risk in industrial control systems

Action Items to Boost ‘Institutional’ Cybersecurity Management

Governments around the globe should work with digitally driven enterprise managements to ensure proportional pay fairness between cyber and non-cyber jobs. In other words, cyber jobs in similar seniority categories should be paying proportionally more than their non-cyber counterparts to attract better talent, or at least similar talent to non-cyber technical professionals. This will mitigate the problem of business thought monopolies wherein product innovation rules (rather than product cyber innovation) and drives the day-to-day operations of a digitally driven company.

he upper management will be ‘pushed’ into hiring divisional heads, each of whom is significantly AI-cybersecurity aware, to ensure that not only high-quality cyber talent is recruited for every product, but security is baked into the product on the people, process, and technology dimensions. This practice, if imbibed by many small and medium enterprises (SMEs), will strengthen enterprise supply chain security.

According to the World Economic Forum, more than 30 percent of CXOs around the globe are of the opinion that supply chain cybersecurity threats are the greatest challenge to their business today.

Corporate institutions should invest in modern technology (like AI) on one hand to incrementally increase the productivity of employee jobs, but at the same time invest in cyber validation/verification of the same jobs. This is especially true of AI that has a footprint on nearly every job. This practice will increase the number of jobs in the tech and cyber-tech roles, aligning with the people, process, and technology pillars of business. With a fair pay structure across roles, the most likely outcome will be better and more secure products, increased customer interest, improved supply chain cybersecurity, and higher KPIs. However, businesses should necessarily invest in educating their varied digital-minded labor (e.g, via cyber range exercises) on the use and taming of modern technology (e.g., AI, IoT), its pitfalls (e.g., AI bias, malicious code injection, AI data poisoning), its compliance with operational standards (e.g., NIST, ISO, NIS2), to ensure business products robustly thrive in a complex cyber terrain. A long-term vision behind effective education and its positive impact on a secure and strong capital economy can be charted by global governments and implemented by strengthening cyber education, starting at the grassroots levels (K-12 education, primary schooling). Such an education, alongside one on the use of disruptive technologies, will ensure an army of cyber-aware and talented personnel is always available to complement a rapidly growing digital economy with strong security guarantees against (national or business) rivals.

Business management should carefully design cost-benefit trade-offs of integrating digitally transformative and disruptive technology like Generative AI in product development cycles at the people, process, and technology pillars. While AI can, in theory, significantly boost productivity and efficiency across every line of business, institutional heads should brainstorm proper decision-making on which business processes to adopt AI for and at what cost (to individual businesses, society, and the economy). This decision-making exercise is extremely important for (but not limited to) (a) AI-powered supply chain networks of which a business enterprise is part of and (b) public and private e-commerce platform owners (e.g., multi-sided business (promoting) platforms such as Uber, ONDC in India) that operate and bring under its hood multiple supply chain network stakeholders and facilitate the success of multi-sided market platforms. Every operation in such systems runs the risk of cyber (and non-cyber) loopholes due to the novelty of not-very-secure technology with AI vulnerabilities that, if exploited, can spread across multiple system stakeholder operations in the form of cascading catastrophic cyber risk (think advanced versions of SolarWinds, NotPetya, Crowdstrike). Assume, in the best-case scenario, that most stakeholders have cyber insurance support; the costs borne by them will be significant, whether with or without insurance, and will cripple platform success.

With the advent and increasing reliance of disruptive technology, there should be government intervention/push (e.g., in the shape of regulations such as the EU Cyber Resilience Act, GDPR, Executive Order 14028) on forming ‘unions’ of corporate institutional civic bodies that encourage cooperative efforts (e.g., CTI sharing) towards promoting cyber innovation on all business processes in a supply chain network and/or multi-sided business platforms. These unions should work in tandem with business leadership to sustainably focus on baking-in cyber in operations and counterbalancing tech-innovations with cyber-innovations on every layer of a business application/product. Without such centralised regulations, supply chain network operations will not be sustainably secure, as businesses that focus on the cybersecurity of their operations will fail to sustain themselves. Government intervention in the private and public sectors could come in the form of subsidies (taxes) and monetary assistance for cyber innovation (especially for SMEs) if proper cyber hygiene is (not) adopted by businesses that are part of supply chain networks and/or multi-sided platforms. It should be kept in mind that nation-state actors are always on the lookout to cripple competing or rival economies geopolitically. It will often take the cyber route in AI- and IoT-driven enterprise supply chains as the easiest and cost-effective way forward.

Ranjan Pal (MIT Sloan School of Management, USA)

Bodhibrata Nag (Indian Institute of Management Calcutta)

Ekta Jain (Alliance Infotech, USA)

[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]