Time to put an end to the cybersecurity blame game

Whenever something goes wrong there’s a natural tendency to want to find someone to blame. In the realm of cybersecurity, that urge to blame someone often results in someone getting fired whenever there is cybersecurity breach. The results of a survey of  more than 400 C-suite executives from enterprises across the U.K. and U.S. that oversee businesses with over 8,000 employees published this week by Nominet, a provider of a managed DNS security services, finds that one-third of CEOs said that they would terminate the contract of those responsible for a data breach.

The trouble with the blame game is that it typically is an attempt to project, deny, or displace responsibility by avoiding awareness of your own flaws or failings. The same C-level executive survey notes more than three-quarters (76%) respondents admit they know that a cybersecurity breach is inevitable. A full 90% said they are lacking at least one resource necessary to defend against a cyberattack.

The simple fact of the matter is that from a cybersecurity perspective the systems that people are being asked to employ to accomplish their jobs are deeply flawed. While there is the occasional egregious breach that someone should be held accountable for causing, most breaches occur because the applications and systems in place simply make it too easy to make a mistake. The truth is the systems in place are to blame. Of course, the people who put the systems in place tend to be C-Level executives that know full well the systems are deeply flawed. The Nominet survey also finds that senior managers are reluctant to accept advice (46%); lack budget (44%), and a lack of people resources (41%).

Cybersecurity professionals are often no better when it comes to playing the blame game. Even though the know C-Level executives will unfairly hold cybersecurity professionals accountable to cybersecurity breaches, many of those same cybersecurity professionals have no qualms about pointing an accusatory finger at end users every time a breach occurs. It is true end users do many things that from a cybersecurity perspective that are downright stupid. But it’s the underlying IT environment that enables that stupidity.

The time for when business executives, IT leaders and cybersecurity professionals to have an adult conversation concerning the true level of cybersecurity resiliency in their organization is long overdue. Organizations routinely continue to employ legacy systems even though they know they are riddled with cybersecurity flaws. By continuing to rely on those systems business leaders are accepting a level of risk. Blaming someone when there is a compromise when those business leaders knew the risks involved is disingenuous at best. There also needs to be acceptance of the true role of the cybersecurity professional. There is no way to eliminate all the risk in the system. The job of the cybersecurity professional is to mitigate that risk as much as possible given the flawed nature of the systems in place.

Naturally, a big part of that effort should be reminding end users of what’s at risk and how flawed the environment really is. However, firing someone because of a breach should only occur when all the cybersecurity professionals and business executives that put those systems in place are also willing to submit their own resignations.