---
id: "quote-shoot-the-wounded"
type: "quote"
source_timestamps: ["§ Compliance Isn't Security"]
tags: ["regulation", "government-policy"]
related: ["contrarian-regulations-lack-value", "concept-compliance-security-conflation"]
speaker: "Anonymous Cybersecurity Expert"
speakers: ["Anonymous Cybersecurity Expert"]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-cl-83-boards-cybersecurity"
sourceUrl: "https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity"
sourceTitle: "Boards Are Falling Short on Cybersecurity"
---
# The 'Shoot the Wounded' Regulatory Mindset

## Quote

> "I think the government has a hard time in this space getting past the mindset of 'go to the battle and shoot the wounded' [i.e., punishing companies that have experienced a cyber incident]. … And if you view shooting the wounded as a useful exercise in morale boosting, then that tells you all you need to know about cybersecurity regulations."

**Speaker:** a cybersecurity expert interviewed by the authors (anonymized).

## Significance

The rhetorical centerpiece of the authors' critique that [[contrarian-regulations-lack-value]] and that [[claim-regulators-poorly-positioned]]. It frames current regulation as **punitive rather than constructive** — punishing breached organizations instead of building security value — reinforcing the [[concept-compliance-security-conflation]]. (The enrichment counterpoint notes this understates evidence that regulation drives real security investment in less-mature firms.)
