Outrunning the Slowest Is Not a Strategy—But It’s Not Entirely Wrong Either
Hello folks,
There’s an old survival joke: "You don’t need to be the fastest runner when escaping a bear—just faster than the slowest person."
I’ve heard this analogy used in cybersecurity discussions more than once. The idea is simple: as long as your defenses are better than the next organization, attackers will move on to an easier target.
And you know what? There’s some truth to this.
Most cybercriminals—especially those running ransomware operations, phishing scams, or credential stuffing attacks—aren’t chasing the most difficult targets. They’re running a business.
They want quick, easy money with the least amount of effort. They’re not in the game to solve puzzles or flex their technical skills—they’re in it for ROI. If breaking into a company takes too much time, effort, or resources, they’ll likely move on.
In that sense, not being a low-hanging fruit is a valid strategy.
I mean, imagine two houses in a neighborhood.
One has CCTV cameras, motion sensor lights, a reinforced gate, and a barking dog.
The other has an unlocked door and a “Welcome” mat.
If you’re a burglar looking for a quick score, where do you go?
That’s why basic cyber hygiene—patching vulnerabilities, enforcing MFA, segmenting networks, limiting privileged access, and having robust backups—is still your best bet at avoiding mass-scale cybercrime.
But What If You’re the Target?
Now, here’s where the analogy falls apart.
If the attacker is specifically after you, then it doesn’t matter how “fast” you run. They will find a way.
If your company holds sensitive financial data, you’re a high-value target.
If you manage critical infrastructure, expect nation-state interest.
If you’re a supplier to big enterprises, attackers might use you as a stepping stone (hello, supply chain attacks).
And let’s be honest—some attackers just don’t give up easily.
I remember speaking with a CISO who dealt with a persistent attacker that kept coming back for months. Her team blocked the initial attack, only for the adversary to switch tactics, change infrastructure, and try again. They weren’t just looking for an easy payday—they had a specific motive.
This is why cybersecurity isn’t just about making yourself a harder target than the next organization. It’s about resilience.
Resilience Over Speed
Instead of only focusing on "not being the slowest," we need to think bigger.
Assume compromise – Build defenses as if attackers will get in at some point.
Prepare for persistence – Not every attacker gives up easily.
Reduce blast radius – If they do get in, make sure they can’t move far.
Have a solid response plan – It’s not just about keeping them out; it’s about bouncing back fast.
So yes, running faster than the slowest person might save you from opportunistic attacks. But for serious threats? You need to be built for endurance, not just speed.
Because in cybersecurity, it’s not just about outrunning the attack—it’s about withstanding it.
That’s all for this week!
Cheers,
Siva