The Dangerous Relative Perspective of Cyber Security

In this article, our Security Advisor, Niclas Hedam, reflects on the dangerous relative perspective on cybersecurity. And where it leaves us as an industry, if we do not strive for the best we can achieve but settle for a relative perspective — simply being better than others

March 6, 2025, by Niclas Hedam, Security Advisor, itm8

The Academic World vs. Reality

I spent years in academia — first a bachelor’s, then a master’s, and before I knew it, I was buried in research, working my way through a PhD in computer science specialising in data systems. In that world, everything was about absolutes. Performance and efficiency could always be improved, systems could always be made faster, and success was measured in breakthroughs. If I pushed past the limits of, what was thought possible. I didn’t stop — I kept going. There was no finish line, only progress. I call this absolute perspective, as the goals are absolute, and not relative to previous results.  

Then I moved into cyber security, and suddenly, everything was the other way around. Security wasn’t about pushing the boundaries of what was possible. It wasn’t about achieving the best — it was about being good enough. The goal wasn’t to build the most secure system or environment imaginable; it was to make sure your system was just a little more secure than comparable companies. I call this relative perspective, because it becomes inconsequential how secure your company actually is, since the comparison is to your peers. 

It reminded me of watching people on the news prepare for a hurricane. Some pile up sandbags, some install pumps in the basement, and some just glance at their neighbor’s house and think: “As long as I am slightly better prepared than them, I should be fine“. They’re not trying to be invulnerable — just less vulnerable than someone else. And maybe that logic works — until the hurricane is strong enough, that everyone is at risk. 

When Relative Perspective isn’t Good Enough 

This relative approach to security made sense in the past. Burglars would drive down a residential street, and they would break into the house that looked the least protected. For homeowners, it was about not attracting attention, and hoping that the burglars would continue to the house next door. No house is unbreakable, like no company has infinite resources, and risk isn’t something you eliminate — it’s something you manage. But when everyone plays the relativity game, the bar for security isn’t set by what’s possible — it’s set by what’s good enough. It’s not about building strong walls; it’s about making sure someone else’s walls are easier to climb. 

But what happens when the attackers stop acting like burglars looking for the easiest target and start behaving like a bacteria or virus? In a crowded train, a bacteria or virus don’t target the weakest person, they target everyone. Now, what happens when the hurricane comes for everyone, no matter whose sandbags were stacked higher? 

That’s where this relative perspective starts to fall apart. If security is only measured against competitors, the entire industry risks drifting toward naivety and ignorance. So how do we break out of this cycle? It starts by recognising what happens when we don’t. When companies settle for good enough security — just aiming to be slightly better than their competitors — they leave themselves vulnerable to attackers who are no longer playing by the old rules. And history has shown us the consequences of this mindset. 

The fallible history of Relative Perspective 

Take Equifax, for example. In 2017, the credit reporting giant suffered a breach that exposed the personal data of nearly 150 million people. The cause? A failure to patch a known vulnerability in Apache Struts. The patch had been available for months, but because Equifax’s security approach wasn’t proactive and absolute, the attackers got in with ease. The company may have thought their security was on par with industry standards, but that didn’t matter when their actual defenses failed against a real threat. 

Then there’s SolarWinds, a case that sent shockwaves through the cyber security world. This wasn’t an opportunistic attack — it was a sophisticated supply chain compromise. Attackers inserted malicious code into SolarWinds’ software updates via an insecure FTP server, which were then distributed to thousands of customers, including U.S. government agencies and Fortune 500 companies. At the same time, since SolarWinds had recommended their customers to turn off antivirus on systems running SolarWinds’ software, this attack remained undetected for months.

SolarWinds wasn’t targeted because it had particularly weak security; it was targeted because attackers knew that companies often trust software updates implicitly, and because the industry had blindly followed the recommendations of SolarWinds and disabled their antivirus. When security is treated as a relative game — just staying slightly ahead of the next guy—it creates systemic weaknesses that attackers can exploit at scale. 

These incidents aren’t outliers. They’re proof that treating security as a game of relativity — where the goal is to be better than average rather than resilient against threats—leads to catastrophic failures. Attackers don’t care about industry standards. They care about what works and what doesn’t.

Compliance is Relative Perspective in disguise

Many organisations believe they are secure because they pass audits and meet regulatory requirements. But compliance isn’t the same as security. Compliance frameworks define minimum security standards, not optimal ones. Following them may keep regulators satisfied, but it won’t stop a determined adversary. 

This is why a relative approach to security is so dangerous. If everyone is merely trying to be slightly better than the next company, the overall security landscape remains weak. And when a serious, coordinated attack comes — whether it’s a supply chain compromise, ransomware campaign, or zero-day exploitation — it doesn’t just affect one organisation. It cascades across industries, affecting businesses, governments, and consumers alike. 

If history has taught us anything, it’s that attackers aren’t interested in playing fair. They don’t care if you’re slightly more secure than your competitor. They care about whether they can break in. And as long as companies measure security in relative terms, rather than absolute terms against real threats, they will continue to suffer the same fate as Equifax and SolarWinds.

Is your company perspective Relative or Absolute?

So where do we go from here? Should cyber security experts have a seat in every boardroom, making decisions at the highest levels? Should governments step in with stricter regulations to push companies beyond the bare minimum? 

One approach could be overhauling the way cyber insurance works. What if insurance premiums were based on deep third-party security evaluations, forcing companies to compete not just on market performance but on security resilience? What if executives were held personally accountable for major breaches—facing fines, job loss, or even criminal liability in extreme cases — just as they are for financial fraud? Would that finally make cybersecurity a board-level priority? 

Perhaps governments need to mandate security baselines that evolve with threats, rather than static compliance checklists that quickly become obsolete. Maybe we need independent bodies rating companies’ cyber defenses, similar to credit ratings, to incentivise real security improvements rather than box-checking exercises. Or perhaps public perception needs to shift — if customers started choosing services based on security ratings, would companies finally take it seriously? 

The time to act isn’t after disaster strikes. It’s now. In the end, the hurricane doesn’t care who looked prepared. It only cares about what withstands the water. The question isn’t whether your security is better than average. The question is: is it better than the attackers?