While the organization may have been negligent, or their security not up to scratch, we should not forget they are still the victim. How good, or not, the victim’s security is a separate issue for a separate conversation. Foisting blame on the victim on top of having to deal with the incident does not bring much value to the conversation. The blame for the attack should lie squarely on the shoulders of those who conducted it.
Our tendency to blame others for security failings does not stop at the victims of security breaches. Security professionals often berate developers for writing insecure code, when in fact those developers are coding in the way they have been trained. Users are derided, mocked, and blamed for clicking on links, falling for phishing scams, or not following policies, when all they were trying to do was their work.
Management gets blamed for not investing enough money or resources into security. Vendors are blamed for producing and selling products that do not meet our expectations when it comes to protecting our systems. We blame governments for not giving security the attention it should get or not giving the necessary resources to law enforcement to deal with the rise in cybercrime.
It is interesting to note that in all the assigning of blame we very rarely blame ourselves. There is an appropriate saying: “When pointing a finger at someone there are always three of your fingers pointing back at you.” This is something that we in information security need to think about. Instead of concentrating on the weaknesses of others we should look at our own shortcomings. We never seem to ask why is it that developers have not been trained or made aware on how to code securely? How come users don’t understand the risks of clicking on links and attachments or realize that security policies are in place for a reason? Why does senior management not appreciate the risk poor information security poses to the business?
We criticise and berate others for not understanding information security as well as we do and then wonder why no one will talk to us. We fail to engage with developers, users, and management to proactively understand their requirements. We rarely look at ways to support them so that they can do their jobs in a secure manner.
Blame shames people and makes them less willing to share in the future. Users will be afraid to report potential security breaches as a result of clicking on a link in an email, which will lead to our networks being potentially exposed. Companies will not be willing to share how they suffered a security breach as they fear the ridicule and negative impact on their image from those who may focus on the inadequacies of their defenses rather than the fact they are a victim. When we don’t share our experiences we cannot as an industry learn, and by not learning we will find it more difficult to protect ourselves.