Does the current technology market adequately reward companies for investing in cybersecurity? It’s an interesting discussion, and a question posed by Ollie Whitehouse, NCSC’s CTO at CYBERUK 2025’s Tech Plenary Session. His claim is that while the technology to build secure products exists, the business incentives for their adoption are insufficient. The market therefore is ‘non-functional’.
In response to the discussion that followed, a recent blog post from the NCSC goes on to explain more about why this may be the case, and why market incentives need to shift towards a more security-focused position. As the article points out:
- Organizations tend to prioritize immediate concerns over longer-term cybersecurity risks
- The costs of cybersecurity are often not borne by those investing in it but by end users or society
- In complex supply chains, buyers lack sufficient information about the security of products
It’s an insightful view. As a result, the NCSC goes on to propose four key drivers to help shift market incentives: legislation and liability, ecosystem consensus, transparency (components and security in the supply chain), and financial rewards, showing the return on investment for foundational security.
“The cost of underinvestment in cyber security is ultimately borne not by the vendors, but downstream, by customers, insurers, the government and wider society. It is these market fundamentals that need to be addressed if we are to prevent software and hardware vulnerabilities being exploited.” – Ollie Whitehouse, NCSC CTO.
With future threats, such as quantum computing on the horizon, there’s clearly a requirement to ‘think big’ in order for our future digital infrastructure to be ready for the next generation. The dynamics of the market need to change, raising cyber resilience across the globe, and making life tougher for attackers.
You can view the CYBERUK Tech Plenary session in full here, and read the NCSC blog post “Sausages and incentives: rewarding a resilient technology future” here.