It’s not your fault; really. It’s bigger than you or me it’s bigger than a few mistakes any of us might have made. Actually, I don’t honestly know if you could ever place blame on it from any one source because it is so big. What am I talking about? I am talking about the cyber threat landscape that we all live in on a day to day basis. There is a tendency and this goes double for the technical security community to Monday morning quarterback it to an extent. The tendency to say I told you so and to hold up the latest big hack and to the scrutiny of the media and to everyone else saying this could have been prevented.
But it is not so easy. It’s always easy after the fact. When there is a major breach. Are mistakes made? Almost certainly. Is there more that could be done? Sure. Is there more that could have been done before? Possibly. But this still begs the question of who’s fault is it and why?
No One’s Fault
The problem is that looking for fault does not accomplish anything except to actually make another attack more likely. How does it do this? Because if people are blamed and they feel the pain of that recrimination, they will most likely practice avoidance, and avoidance is just inviting an attack. I have actually seen IT professionals at major organizations tell me that they do not want to know about any possible threats. This is a recipe for disaster. Their attack is almost inevitable.
Fault also does another unconstructive thing and that is to keep the rank and file employee of not addressing their own cybersecurity issues in their local work area. So for instance when a clerical employee sees a supervisor mishandling documents they will not report it for fear of blame or recrimination or just to avoid conflict in their department. But if there is a known security authority that they are allowed to go to without any dust up, they will be much more likely to make that report. And then the activity can be corrected without recrimination to either party.
Who’s To Blame
It’s no one’s fault. Frankly, it’s bigger than that. Plainly we are living in radical times. Transitional times in the era of cybersecurity. The prevalence, the size of the attacks, the sophistication, is unprecedented. Look at the rate of increase of the cost of cyber-attack, it is currently at about $800 billion depending on where you look for estimates. By 2019 it is predicted to be about $2.2 trillion. This is a massive increase, and there is no end in sight. There has never been any type of crime wave to compare with this in magnitude. The banking industry has been working on security procedures, policies, technologies and enforcement for about 500 years. The cybersecurity industry has been dealing with a much larger in scale and fluid set of circumstances for about 35 years.
There simply is no comparison to the magnitude of this problem. There is just too much at stake and too many actors and technologies involved. So the next time you think it is your fault as the executive of a company keeps in mind that you are dealing with something no one has ever had to. Maybe that will give you a little peace of mind.