A good friend from the security industry, Eric Cowperthwaite, recently caused some debate with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends disagreed.
The truth, as usual, is somewhere in between.
Mood music:
Let’s start with Cowperthawaite’s key point:
In the information security community there is a tendency to blame the victim first, rather than the criminal. And as soon as that starts to work, much of the community begins to pile on like sharks smelling blood in the water.
I’m not even going to name all the times this has happened and give examples. We all know about the retail company, the coffee company, the software company …. the list goes on and on …. that didn’t have perfect security, got victimized by a criminal, and we tore into them for “the thing they didn’t do.” This is so wrong, I don’t know where to start.
Boris Sverdlik and George V. Hulme see things differently. Says Sverdlik:
Most orgs aren’t in the business of security, they are in the business to make money. If you believe most companies do their darnedest to protect their customers then you are living in some other world I wish I could be a part of. The truth is most companies don’t give a shit about security until they get popped and when they do they will do the bare minimum to keep appearances up because nobody holds them liable. My job as a security professional is to reduce the risk to an organization and if I can’t 100 percent say that I’ve done my best I deserve to be blamed.
Hulme adds:
I don’t think an organization like Target that had a puke IT culture and didn’t bother to have a CISO or a point person on consumer privacy gets a pass on anything. And that company DEMANDED to scan Driver’s Licenses to buy things like Nicorette gum. As I was a customer at Target for years, that’s the only justification I need for that opinion.
The discussion went back and forth several more times on Facebook, but I think those capture the prime points.
Once again, what’s true in the security industry is true in the rest of the world. Is how we treat people who fail right?
We have a tendency to blame the victims. It’s not a good practice in the first place, but what’s worse is that it’s hypocritical. We all make mistakes and get things wrong. When it happens to us, it’s a learning experience. When it happens to someone else, they’re idiots.
That said, Sverdlik and Hulme are right to point out that companies tend to not give a shit about security until they get hosed. To that end, ridicule is justified.
But I’ll tell you what matters to me: how honest the victim is.
When a retailer is the victim, its customers are victims too. When the retailer tries to gloss over its culpability, the pile-on is deserved. Not because it suffered a breach in the first place, but because it wasn’t honest about what it learned and what it were doing about it.
We need more compassion, but we need accountability and consequences, too.
Maybe someday people in the infosec occupation will learn how business works. Cost vs risk etc.