Nobody Gives a S##t About Cybersecurity: A Postcard from the Edge of the Industry

TLDR: Three reasons nobody cares about cybersecurity: the economics don't justify it, the products don't work, and the industry has spent 20 years scaring people into apathy. Here's what needs to change.

As the CEO of a cybersecurity company, I realize that it may seem strange to say that no one really cares about the very thing we sell; bear with me. 

It’s that time of year again. RSAC is here, transforming San Francisco into a bustling bazaar of black t-shirts, oversized hoodies, and enough logo-wrapped stress balls to fill the Mariana Trench. The marketing departments of the world’s security vendors are polishing their buzzwords, preparing to unleash a tsunami of "AI-driven," "zero-trust," and "next-gen" promises upon the C-suite. The hype machine is spinning up, ready to tell us that the digital apocalypse is nigh, and the only salvation lies within a subscription license.

But, if you escape that bubble and talk to “regular people“ you realize that, actually, less people give a s##t about cybersecurity then you think (I’ve heard this several times this year already). To be clear it's not coming from disgruntled “grey beards”, it comes from people who run businesses, invest in them, and work in them.  The security response to this is, of course, that these people just “don’t get it”, that it’s an end user issue; we’re so smart, you’re not etc… but this is, to be frank, a completely stupid response.

Focusing on "making people understand" is a fool’s errand because the lack of understanding isn't the problem. The problem is that, rationally speaking, they are right not to care, and this is our fault.

The Ignorance Myth vs. The Economic Reality

The security industry loves to patronize the rest of the business world. We treat executives like toddlers who haven't learned not to touch a hot stove. We lecture them on risk matrices and threat actors. We assume that their apathy is a failure of communication.

In reality, it’s economics reinforced by a failure to deliver.

For the vast majority of organizations — regional manufacturers, retail chains, mid-sized logistics firms — cybersecurity is not an existential pillar of the business. It’s a friction cost. It’s a utility bill.

The average organization does not suffer from a lack of understanding; they suffer from an abundance of priorities. They have a fiduciary duty to grow revenue, reduce overhead, and return value to shareholders, or put more simply, to make money. When presented with the choice of spending $500,000 on a new widget press that increases output by 15%, or spending it on a "Next-Gen Security Operations Center" that promises to prevent a hypothetical breach that may happen in three years from now, well, they buy the press. Every single time.

To the business leader, cybersecurity is a negative investment. You are spending money to ensure that *nothing happens*. The mythical “return on investment” is presented as the way to assess this spend, and hopefully provide you with the confidence to explain to your board/boss why you did this. “Attacks prevented” is not a line on a quarterly report, nor can it be (unless you just make it up).

That’s because this is a calculated gamble. Businesses manage risk. They look at the probability of a catastrophic breach, they look at the cost of prevention, and they roll the dice. Most of the time, for most companies, the math works out in favor of neglect. The sky doesn't fall. The business keeps running. The breach happens, they pay the ransom (or the insurance does), they issue a press release, and the stock price dips for a week before rebounding.

They understand the stakes perfectly. They just know that the cost of caring is higher than the cost of apathy.

The Exceptions: Why the Military and Banks Care

Of course, saying "nobody" gives a s##t is a generalization, and like all generalizations, it has glaring exceptions. There are sectors where cybersecurity is treated with deadly seriousness. These sectors prove the rule that security is only important when it protects the core asset: existence itself.

Take the government and the military. They care. They care deeply (in some areas). But not necessarily because they have a superior moral compass regarding data privacy. They care because cyber-warfare is now a fifth domain of battle. A breach in a military network isn't just a data leak; it’s national security. If a power grid goes down or a missile guidance system is compromised, this could lead to a potential kinetic strike and people could die. The government cares because their "product" is sovereignty, and their threat model is an adversary trying to dismantle it.

Then there are the banks. Banks are the ultimate counter-argument to the "nobody cares" theory, but only because their entire existence is predicated on a single illusion: the sanctity of the ledger.

Banks do not invest billions in security because they love firewalls. They invest because if a bank gets hacked, money disappears. If money disappears, trust evaporates. If trust evaporates, the bank ceases to exist.

And of course cybersecurity professionals do, and many of them try extremely hard to deliver under ever more dire circumstances. 

Compare this to a hospital. If a hospital is hacked, surgeries are delayed and records are leaked. It is a tragedy. But the hospital still has doctors and nurses. The building is still there. The core product (healthcare delivery) is disrupted, but work can still go on. Banks, however, possess digital inventory. If you steal the digital inventory, the bank is a hollow shell. Therefore, banks care.

The rest of the economy? They are merely protecting data. Data is infinite, easily copied, and intangible. It is much harder to get a CEO to give a s##t about a folder of spreadsheets than it is to get a General to care about a nuclear silo or a Bank Chairman to care about a vault.

Of course some boards and senior managers do care, again, talking in generalizations here.

The Sky Is Falling (And We’re Tired of Looking Up)

If economic reality is the root cause of apathy, the cybersecurity industry itself is the fertilizer that helps it grow. We have spent the last two decades crying wolf so loudly and so incessantly that we have deafened our audience.

The RSAC Conference will serve as the perfect microcosm of this failure. The expo floor will be filled with vendors screaming about "Cyber Pandemics," "Digital Pearl Harbor," and "The End of Privacy." Every vulnerability is "Critical." Every script kiddie is a "Sophisticated Nation-State Actor." Every phishing email is an "Advanced Persistent Threat."

When everything is a crisis, nothing is. The industry operates on a fuel of pure panic—FUD (Fear, Uncertainty, and Doubt). We bombard executives with terrifying statistics and horror stories. But humans, especially business leaders, have a finite capacity for panic. Eventually, they tune it out. It becomes background noise.

"Oh, the sky is falling again?" the CEO mutters, deleting the latest alert. "Just like it was falling last quarter, and the quarter before that? Fix it, but don't spend any more money."

This alarm fatigue is exacerbated by the fact that the products we sell often fail in the clutch. The cybersecurity market is rife with snake oil. We sell "AI-driven" defense systems that require a team of PhDs to configure. We sell "unhackable" hardware that is compromised by a default password left on a remote access port.

Other examples include :

EDR solutions can be bypassed (most of them with not too much effort) so that super hacking group that you are being terrified about is going to get in.

Alerting systems often feed back to you the alerts your systems are producing with added flashing lights. They don’t track behavior patterns that actually indicate something bad.

3rd-party vendor assessments are usually glorified checkbox exercises that are easily gamed (we’ve seen so many documents written the day before an audit to know this as true). Or worse, pointless external data points which are meaningless when scrutinized. 

We then have organizations who exist to mine our data and violate our privacy, also supposedly being the ones who have a solution. This is akin to drug dealers operating rehab clinics.

This is then further exacerbated by sponsored product placement disguised as research, or as conference talks, endless marketing, and an investment industry whose only real job is to get a company large enough for the next transaction, which means you either start out with a useful product, and a few years later it’s a piece of junk. Or it’s junk to begin with but with really cool marketing. I was told once that if you take investment, at least 50% should be spent on marketing. This does not a good product make.

So in all likelihood what someone buys is not up to the task, which then further increases the doubts in the industry, and further decreases the likelihood of caring. 

Finally, the lack of accountability in the vendor market reinforces the apathy. If you buy a car and the brakes fail, you sue the manufacturer. If you buy a security tool and get hacked, the vendor shrugs and says, "security is a process, not a product." The ultimate cop-out. It tells the buyer that they can never truly buy safety, so why bother buying the best? Just buy the minimum to satisfy the auditors and move on. 

We, even now, have situations where cybersecurity tools cause outages, and this gets spun into humor and positive marketing. I’m fairly sure if a medication made 50% of the population sick, the drug company would not win an award.

Compliance: The Checkbox of Indifference

In the absence of genuine concern, or perhaps in an effort to just provide some kind of signpost, we have erected the temple of Compliance. GDPR, HIPAA, PCI-DSS, SOC2. These are the guardrails of the industry, but they are also the enablers of apathy.

For the majority of organizations, "doing cybersecurity" is synonymous with "passing the audit." It is security theater. It allows the C-suite to point to a certificate on the wall and claim due diligence.

Compliance has given us a false sense of security. It reduces the complex, messy reality of digital defense to a checklist. Do we have a firewall? Check. Do we have a password policy? Check. Do we have a disaster recovery plan? Check.

The audit does not ask if the firewall is actually configured correctly. It doesn't ask if the disaster recovery plan has been tested in the last three years, or if the password policy forces users to write their passwords on sticky notes.

Compliance allows organizations to rationalize their indifference. "We followed the rules," they say when the breach happens. "We were compliant." It is the ultimate shield against blame. It allows the industry to operate on the bare minimum, treating security not as a strategic imperative, but as a regulatory tax. It is the codification of "nobody gives a s##t" into law.

Much of the time these audits are not conducted by experts, surely another example of why security isn’t that important: you probably want your building inspection done by someone who understands construction and engineering, why not your security inspection?

The Human Scapegoat

Finally, there is the adversary. Not the hackers, but the employees. The industry loves to blame "the human element." "Users are the weakest link," we proclaim. "They just don't get it.” The safest computer is one that is turned off — if ever there was a sign of a disconnect surely it is that statement. 

We treat the workforce like children. We force them to endure "Security Awareness Training" — mind-numbing videos of actors in hoodies pretending to be hackers. We send them simulated phishing emails to trick them, and when they click, we shame them. We create a culture where security is the Fun Police, blocking websites, forcing 90-day password rotations, and breaking their workflow. Oh, and none of this has been shown to actually work. Many of the major hacks we read about are still done via social engineering, so surely we can conclude after 20 years of security awareness training, it fails. 

Why do we keep doing it? Compliance and some marketing.

Instead security should be seamless to the end user (the person trying to do their work, or whatever else). We can intellectually praise ourselves for judging those who don’t agree to things the way we want them to work, or we could actually get over ourselves and help them. Humans will seek the easiest way to do things, not because they are lazy, or stupid but because your “average” employee is looking to keep their job at a time when everywhere they look they are being told how A.I is going to replace them, and they have ever increasing workloads and decreasing deadlines.

People will share passwords, so you know what? Make a monitoring system that sees that George has logged in from 4 computers at the same time, so maybe something is up? But then also assess what risks that really poses to the organization. Is George logging into the HR system from 4 places? Or logging into see the company's lunch menu? And keep going from there. Apply common sense to the problem, rather than expecting some kind of fantasy land.

Maybe users don’t need to care about cybersecurity? Maybe it just needs to work?

Conclusion

As RSAC approaches and the industry revs up its engines of fear, remember what buyers and users actually think: they just don’t give a s##t about cybersecurity. 

Maybe this sounds cynical, but I like to think of it as a call for realism. 

We need to stop framing the problem as an educational deficit. People understand the risks; they have simply calculated that the cost of caring is too high.

I once gave a presentation called “the business of the people trying to f##K with your business, is to f##k with your business.” This is the economic reality of the world: bad guys make money by doing bad things. The good guys make money by reducing how much they spend to stop those bad guys. Cybersecurity is never going to make an organization money (apart from those selling it). It can stop losses (which is incredibly important), but it needs to respect the buyer/user and economic reality. Stop fleecing organizations with tools and services that don’t help because you don’t understand the reality.

We breach systems today in similar ways to how we breached them 25+ years ago, this is not something to be proud of. As an industry we have failed, and continue to fail, our customers. We need to stop selling the apocalypse. Fear can be a great way to get someone to buy a thing, especially fear of loss, but the story of the boy who cried wolf was written long before computers were around because people knew how this played out back then. 

So let's stop selling the apocalypse, stop supporting an industry which is barreling towards existing merely to exist, and start offering actual solutions, which help people without burdening them.

I have been around cybersecurity (data security, information security, cracking, hacking) for over 35 years. I have suffered the same hubris as much of the industry, judged people based on their technical understanding, and avoided common sense in favor of clever ideas that crack in the light of day. I started a company to try and address that, and yet I still at times fall into that trap. I am lucky to know people who’ll slap me back to reality. I have no delusions that this article will be “picked up”, our marketing budget remains on the small side, certainly not big enough for some good RSAC coverage. However, we continue to fight the good fight — to have candid conversations with businesses who are looking for real help with their security and offering them solutions that work for them — and hope this gives a chance to talk about what we believe is happening in the cybersecurity vendor space. Until we fix this, good business will continue to be to just click “ignore” on that security alert.

Thanks for reading

Mark