Stop playing the cybersecurity blame game

By Mark Lukie, sales engineer manager – Asia Pacific for Barracuda Networks

Whenever something goes wrong there’s a natural tendency to want to find someone to blame. In the realm of cybersecurity, that urge to blame someone often results in someone getting fired whenever there is cybersecurity breach.

The trouble with the blame game is that it’s typically an attempt to project, deny or displace responsibility by avoiding awareness of your own flaws or failings.

The simple fact of the matter is that from a cybersecurity perspective the systems that people are being asked to employ to accomplish their jobs are deeply flawed. While there’s the occasional egregious breach that someone should be held accountable for causing, most breaches occur because the applications and systems in place simply make it too easy to make a mistake.

The truth is the systems in place are to blame. Of course, the people who put the systems in place tend to be C-level executives that know full well the systems are deeply flawed. A recent survey by DNS security services company Nominet, found that senior managers are reluctant to accept advice (46 percent); lack budget (44 percent) and lack people resources (41 percent).

Need for acceptance

Cybersecurity professionals are often no better when it comes to playing the blame game. Even though they’re aware C-level executives will unfairly hold them accountable for cybersecurity breaches, many of those same cybersecurity professionals have no qualms about pointing an accusatory finger at end users every time a breach occurs.

It is true end users do many things that from a cybersecurity perspective that are downright questionable. But it’s the underlying IT environment that enables that to happen.

The time for when business executives, IT leaders and cybersecurity professionals have an adult conversation concerning the true level of cybersecurity resiliency in their organisation is long overdue.

Organisations routinely continue to employ legacy systems even though they know they are riddled with cybersecurity flaws. By continuing to rely on those systems business leaders are accepting a level of risk. Blaming someone when there’s a compromise when those business leaders knew the risks involved is disingenuous at best.

Firing someone because of a breach should only occur when all the cybersecurity professionals and business executives that put those systems in place are also willing to submit their own resignations.

There also needs to be acceptance of the true role of the cybersecurity professional. There’s no way to eliminate all the risks in systems. The job of the cybersecurity professional is to mitigate that risk as much as possible given the flawed nature of the systems in place.

Work with end users

Naturally, a big part of that effort should be reminding end users of what’s at risk and how flawed the environment really is.

Business leaders need to make sure the people they hire understand that caring for the data is not an inconvenience or burden. Rather, it’s a responsibility and obligation to the individuals that trusted their organisation with data in the first place.

The data doesn’t just belong to the company. It belongs to their fellow human beings. Appreciating the fact data represents a lot more than a collection of numbers and words won’t necessarily prevent breaches from occurring. But end users that understand the true value of data in human terms are going to be a lot more careful with the data because they’ll think of caring for that data as a sacred trust.

Unfortunately, most end users still don’t really grasp just how much damage can be inflicted when sensitive data gets compromised. They’re all aware they might get in trouble and the company could be fined. But what most of them don’t really get is the human cost. Every time data gets compromised there is a person out there experiencing pain that is being inflicted because someone was careless with their data.

Awareness drives protection

Cybersecurity professionals could be doing themselves and the organisations they work for a huge favour by conducting training classes that simply focus on all the ways sensitive data is employed to inflict real harm. Once informed of those consequences, most end users will take a lot better care of the data they have been entrusted to protect.

Cybersecurity professionals tend to assume everybody intuitively already understands the inherent value of data. The truth of the matter, however, is their collective zeal to accomplish some task as quickly as possible means it’s easy to forget what that data really represents.

Of course, if the business leaders don’t appreciate the real value of the data the organisation collects, the rest of the conversation is a non-starter. But at the very least, cybersecurity professionals can take some comfort in the fact that at the very least they really did try to make a real difference.

About the author

Mark Lukie is a sales engineer manager for Asia Pacific at Barracuda Networks. He has over 17 years’ experience in networking, security, backup/disaster recovery, public cloud platforms, as well as systems integration. For more information, visit: