A product manager I respect recently said to me, “customers don’t really care about cybersecurity, do they.”

It’s true. Customers don’t care.

Or more precisely: buyers don’t care about cybersecurity. However, after they’ve bought your product or service, and a security incident results in financial harm to your customers, then they will REALLY care about cybersecurity—usually in form of a lawsuit. And if the problem is big enough, kneejerk legislation and bad regulation.

The free market has failed to incentivize strong cybersecurity, mostly because buyers don’t understand or care about cybersecurity risk (even though it’s in their own best interests to do so). That means only regulators and regulated entities—like large financial institutions—spend much time thinking about cybersecurity risk before the sale.

But you know who deeply cares about your cybersecurity posture?

Attackers.

Criminals and nation-states who exploit cybersecurity issues for power or profit really care what your cybersecurity posture looks like, even if most of your customers couldn’t care less.

As defenders, we have to be right every single time, and attackers only have to be right once. And attackers can try again and again and again without consequence.

So the idea of using cybersecurity as a product differentiator on the free market is, in most cases, a failed strategy. Few buyers in an unregulated free market are going to use cybersecurity as part of their purchasing decisions. Very few, even.

A better approach is to think always “If I go cheap on security and I have a major security incident that causes my customers financial harm, they are going to sue me out of existence.”

For this reason I frequently observe that cybersecurity as a discipline straddles the boundary between engineering and law. Measuring the financial impact of a security incident almost always includes a legal component.

Do I think customers will ever care about cybersecurity? I doubt it. At least not in my lifetime. It would take a catastrophic, systemic risk event to shatter the currently widespread (and misplaced) faith society has in the resilience of our connected lives.

Even in verticals like cryptocurrency/web3, where the real security risk is extreme and immediate, folks who should know better consistently underestimate the security risks they carry as a business. Read the weekly hacking news from the last bull run, and hang in there for what will surely be more of the same during the next bull run.

I used to think that companies were rational actors that would be able to identify security risk and act in their own best interests.

Now I think that the majority of companies, even in the riskiest verticals, are unable to consistently do that without regulation. Too many business leaders do not understand cybersecurity risk, but they all understand legal risk.

So I’ve reluctantly come to the conclusion, as a practicing security risk manager, that only way to solve for systemic security risk is government regulation. Which is saying a lot—government cybersecurity regulation has historically been dumpster fire terrible, and shows every sign of continuing to be just as bad in the future.

But what is the “least bad” option?

We can’t have perfect. Government cybersecurity regulation is a terrible outcome. All the other outcomes seem even worse.

Because customers really don’t care about cybersecurity.