It is a sad fact that the ‘blame game’ is an inescapable part of human nature. Human beings, to avoid the finger being pointed at them, are all too ready to point the finger at others.
Cybersecurity is no different. If a security leader sees someone making an error or not following security protocol, they might use this as an opportunity to call this employee out, shaming the bad practices in the hope that this blame will encourage others to be more vigilant. Not only is this outdated and unpleasant for the user, but it is altogether ineffective and does not help prevent security incidents in any meaningful, holistic way. It’s time for a different approach.
The Problem: Plenty of Phish in the Sea
The most common security issue that individuals may encounter is a phishing email pretending to be from a legitimate entity, which tricks an employee into clicking on a malicious link. Phishing is by far the most common threat vector and can lead to further security complications: data exfiltration, the installation of malicious software (malware) or even direct financial theft.
This presents an open goal for people hoping to place the blame at an individual’s feet; someone needs to click on a link, and that someone is, in most cases, the end user. This is not a case of a misconfiguration on the technical side but an end user deciding (consciously or unconsciously) to click on the link. It is also worth mentioning that it is easier to sell a narrative with someone known to blame – an employee as opposed to an unknown, faceless criminal.
This is an incomplete picture of the security layout. If an employee clicks on a phishing link, this does not represent an individual failure; rather, it is symptomatic of a collective failure from a cybersecurity standpoint, a failure to understand that cybersecurity is a culture, not a product.
Furthermore, it compounds the problem. If an individual risks personal blame after making an (entirely human) mistake from a security perspective, this serves to criminalize the person and does not deal with the issue. This pushes security incidents further underground. They are more likely to be covered up by employees, managers or departments and as a result, less likely to be fixed before they can do considerable damage. Threats running unchecked through a corporate network due to a culture of fear around security play directly into the hands of threat actors.
The segmentation of various company functions is part of this problem. The IT teams and senior leadership playing the blame game and the resulting friction between them and the wider company can be exacerbated by what the IT teams may consider a holistic solution: multi-factor authentication, email filtration systems and security awareness training. While these are critical areas for a security program, they represent a practical solution to a cultural problem and can, in extreme cases, even cause employees to look for workarounds to bypass security solutions entirely.
The Solution: Pulling in the Right Direction for the Same Team
A positive security culture needs to come from the top down. When an end user is found to have clicked on something, and the implication is that ‘there’s something wrong with you,’ it must change.
A cultural solution means replacing the game of ‘us and them’ between senior leadership, IT teams and the wider company with a reminder that everyone is on the same team. If we are divided, fighting amongst ourselves, our chances of a secure company are slipping through our fingers.
Building this into your culture is crucial and means an active program of ‘decriminalizing’ security mistakes. Some organizations have even gone as far as ‘rewarding’ those who have made a security mistake but have come forward to let the relevant people know. Not only does this show a regard for the wellbeing of the company, but it shows that mutual trust between employer and employee works to benefit both parties.
Patrick Lencioni’s five behavior models identify the five characteristics of a cohesive team as Trust, Conflict, Commitment, Accountability and Results. Each behavior in the model builds upon the previous and supports the others. While conflict may not necessarily seem like it fits in here, if the previous block (trust) is truly in place, then conflict can be constructive. Lencioni does not mention anything about blame because blame without constructive discussions would hinder, not help, the creation of a team mentality in your organization.
Make sure you focus your team building within these parameters, and your company culture will reap the benefits from a security perspective and beyond.