Security teams still face finger-pointing. Blame culture must end
This issue is still rife and causing burnout, says one CISO
Organisations still need to move beyond a blame culture, if the state of cybersecurity is to improve, according to Paul Baird -- UK Chief Technical Security Officer at Qualys, and previously global head of cybersecurity operations at Jaguar Land Rover. He has long been an advocate for paying more attention to mental health and wellbeing in IT security – and he sees this, and improving the security function's link with organisations more broadly as critical to better security -- while recognising that often CISO soft skills need improvement.
“We have that challenge now to prove that we are bringing value to the business. The Security Operations Centre (SOC) has been traditionally this closed room, a special door that only certain people can go through. So you're already distancing yourself from the business by having that locked door,” Baird tells The Stack.
“I think the perfect CISO is a blend between having a technical background or technical competency, but also the ability to engage with the business and for them to be understood, liked, respected – accepted by their peers into the business.
"If you can find CISOs that have those capabilities, they're the ones that are going to do well. They're the ones that are going to drive the business.”
See also: Hiring a CISO (or want to be one?) Know you this…
One of the most urgent issues facing organisations is to move away from a blame culture, according to Baird.
He says the culture of trying to assign responsibility for a breach is “really, really strange” and still endemic.
“It was always 'why did security not do this?' 'Why didn't it do that?' Yes, very much finger-pointing. And I think that is a defensive mechanism. Because everybody's so worried about being breached,” says Baird.
“There's some times that [it's a case of] 'I want to save my job'. And the only way that that can happen is putting the blame onto somebody else. Now, that is an assumption of mine. But I experienced that with my growth through through security. And it's trying to break that mentality,” he adds.
“if something does something wrong, there shouldn’t be a blame game – we have to learn from it. If it's a mistake, what were the processes in place that let that mistake happen? We need to redefine those processes.
“So therefore, if it's that SOC engineer, it's not his fault. He's followed the processes that have been written by the business. So how can you then blame the SOC engineer? If it's the board didn't want to buy EDR and just went with EPP and something happens and it's a lateral movement attack that EPP would never pick up?”
The issue of blame continues to be widely discussed in cyber security circles – but business leaders in general are becoming more aware of the issues around having a blame culture. An October 2021 article by the accountancy body ICAEW emphasised that cyber security is a “whole company” responsibility; while former Amazon finance executive Craig Callé talked about the organisational issues of treating CISOs as “sacrificial lambs” in CFO magazine last month: “Employees rarely see themselves as stewards of their own data, thinking IT has sole responsibility for securing it. Privacy regulations drive a welcome, lean data mentality, but security should never shoulder the full, or even primary, responsibility,” Callé noted.
A 2021 paper, “Contemplating Blame in Cyber Security” by academics Karen Renaud, Alfred Musarurwa and Verena Zimmerman, meanwhile looked at how a blame culture could create a “second victim” of a breach, in the form of the person being blamed. They noted that beyond the person directly being blamed, there is often wider emotional fallout among an organisation’s employees.
“On an organizational level, blaming might hinder learning because relevant influencing factors are overlooked... For example, Dekker (2016) explains that when organizations blame, they lose the opportunity to learn from the event, and to be able to take remedial action. If they content themselves with blaming, the incident will probably re-occur because the causes have not been remedied,” said Renaud et al.
Join your peers and follow The Stack on LinkedIn
Baird suggests CISOs need to find effective ways to demonstrate to business leaders how easy it can be to be targeted by bad actors – and gives an example of how he did this.
“I spun up a Linux machine on a hosting company, and just tracked how many hits and how many breach attempts. And I had nothing up there. Absolutely nothing up there other than SSH open. And it was amazing to see how many hits and how many attacks. That was the evidence I took back to my board, and it was one of the tools I used to say this can happen to anyone. Nobody knows me. Nobody knows what that machine was. It wasn't running anything – yet it was still being attacked. Just to prove to them that all of this is going on.”
CISOs soft skills also need to be effective in the other direction, with Baird suggesting senior cybe security professionals need to be on the lookout for burnout and other issues with their staff.
He says this is one area where things have actually improved as a result of Covid.
“Because of the remote working, the working from home, the disconnection from the business and from your teams – all of a sudden, leaders are picking up new skills, or should be picking up new skills,” Baird says.
“You can be in a meeting with your peers, and you can pick up body language, you can pick up responses. You lose that ability when you're in a Teams meeting. And so you have to retrain yourself and learn new skills to pick up where things are right and things are wrong. And that needs to start at the top and we need to move that down.”
Burnout is an increasing problem in cyber security – exacerbated by the growing skills shortage across the industry, leaving many organisations’ IT security teams understaffed. Baird notes there are ways to mitigate this, including through a greater use of automation – something which Qualys is focusing on – but that throwing technology at the problem won’t make it go away.
See also: Demand for UK cyber-pros shoots up as shortfall triples
“Adding technology will help reduce the stress the strain on the teams. It will never stop the finger pointing. I think that's a whole cultural change that needs to be looked at because if it's if they're not blaming security, they'll be blaming somebody else,” he says.
When asked if vendors have a responsibility when it comes to blame culture, by setting unrealistic expectations for their products, Baird gives a qualified yes. He suggests vendors always need to agree “success criteria” with a customer, and make sure they can fulfil them.
“That should be part of project management anyway, but again, I've worked for a lot of organisations where that has never happened. It was: you buy an EDR tool, we're going to deploy the EDR tool, once it's deployed, that's your project finished. What's the EDR tool there to do? Are we going to mitigate more threats, are we going to stop lateral moves, and is that going to help with our OT environment? They were never discussed.
“It's having those frank and open discussions with the customer. Because they might not know what they want. They've they found a piece of technology. They've read an article, or their board has come down and gone: you need to buy EDR.”
He also hopes security professionals in general can start being more open with each other, in contrast to the “very guarded” approach currently in the industry.
“I'm not saying spread all of your nasty out to your competitors. But if we start to talk more… I did this, I did that, and this worked. I did this, I did that, and it didn't work. It means that other people can take that information and reuse it.”