There are no winners in the blame game

Every time a major security breach makes the headlines, a common reaction happens. Even before the details of the breach are known, the infosec world gets into a frenzy of speculation as to how the attack happened, who conducted it, and whether the attackers were skilled or not. Invariably the conversation focuses onto the company that is the victim of the attack, and it often tends to highlight how stupid, negligent or weak its security defenses were. In effect, we blame the victim for being attacked.

While the organization may have been negligent, or their security not up to scratch, we should not forget they are still the victim. How good, or not, the victim’s security is a separate issue for a separate conversation. Foisting blame on the victim on top of having to deal with the incident does not bring much value to the conversation. The blame for the attack should lie squarely on the shoulders of those who conducted it.

Our tendency to blame others for security failings does not stop at the victims of security breaches. Security professionals often berate developers for writing insecure code, when in fact those developers are coding in the way they have been trained. Users are derided, mocked, and blamed for clicking on links, falling for phishing scams, or not following policies, when all they were trying to do was their work.

Management gets blamed for not investing enough money or resources into security. Vendors are blamed for producing and selling products that do not meet our expectations when it comes to protecting our systems. We blame governments for not giving security the attention it should get or not giving the necessary resources to law enforcement to deal with the rise in cybercrime.

It is interesting to note that in all the assigning of blame we very rarely blame ourselves. There is an appropriate saying: “When pointing a finger at someone there are always three of your fingers pointing back at you.” This is something that we in information security need to think about. Instead of concentrating on the weaknesses of others we should look at our own shortcomings. We never seem to ask why is it that developers have not been trained or made aware on how to code securely? How come users don’t understand the risks of clicking on links and attachments or realize that security policies are in place for a reason? Why does senior management not appreciate the risk poor information security poses to the business?

We criticise and berate others for not understanding information security as well as we do and then wonder why no one will talk to us. We fail to engage with developers, users, and management to proactively understand their requirements. We rarely look at ways to support them so that they can do their jobs in a secure manner.

Blame shames people and makes them less willing to share in the future. Users will be afraid to report potential security breaches as a result of clicking on a link in an email, which will lead to our networks being potentially exposed. Companies will not be willing to share how they suffered a security breach as they fear the ridicule and negative impact on their image from those who may focus on the inadequacies of their defenses rather than the fact they are a victim. When we don’t share our experiences we cannot as an industry learn, and by not learning we will find it more difficult to protect ourselves.

So next time you are dealing with users who do not know how to work in a secure manner, don’t blame the users but rather take a step back and try to understand where and how we have failed to enable them to work securely.
When management does not provide the necessary resources to improve information security, let’s not blame them for not understanding the issue. Instead let’s try to learn how to better present the business case that will get management to approve the investment.

The next time a company’s network security is breached remind yourself that they are the victim of a crime. Instead of shaming and blaming the victim, our focus should be on how to stop those responsible for the attacks creating more victims.

In the blame game nobody wins, yet everybody loses. As the famous American novelist John Burroughs said: “You can get discouraged many times, but you are not a failure until you begin to blame somebody else and stop trying.” We have too much at stake in ensuring our systems and networks are secure to fail at what we do. We will be discouraged many times but let’s not become failures – let’s stop playing the blame game.

Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for a number of innovative information security companies. He has addressed a number of major conferences, he wrote the book ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute’s weekly SANS NewsBites.