InfoSec Opinion Column #4 (June 9, 2025)
Consider it the Axios of what matters in cybersecurity. Or the Hacker News comments section, depending on the day. All hand-curated, no AI involved. This week: Applying the flywheel concept to cybersecurity.
What: Turning the Security Flywheel
Why it matters: Phil Venables always has strong insights and widely-respected opinions about security leadership, and how security programs should be run.
tl;dr:
- The concept of a "flywheel" is fairly common in business - the idea that self-reinforcing activities drive increasing business momentum (the Amazon flywheel is one of the most widely known - selling items at lower prices attracts more customers, which attracts more sellers, which enables more volume-based revenue, which drives prices down, which attracts more customers, etc.)
- This concept can be applied to cybersecurity as well, in a couple different contexts.
- For example, "Raise the Baseline by Reducing the Cost of Control: Make the deployment of, even advanced, controls more pervasive. Not by sheer will or ever-increasing budgets but by effective control (re-)engineering to reduce the total unit cost of ownership of controls so more controls can be implemented per fixed budget."
Matt's view: It should be no surprise that I view "automation flywheels" as a key leverage point in building flywheels in a cybersecurity program - the more things you automate, the more time you have to automate things. We can map automation to other security flywheels as well - for example, "cost of controls" can be reduced through automation, allowing companies to get more mature and more effective security controls at a relatively stable fixed cost.