The effects of ransomware attacks and the SolarWinds hack continue to ripple throughout the country. With a lot of focus on preventing future attacks. But, unless we resolve a problem with accountability in cybersecurity, history is doomed to repeat itself.
On LinkeIn, a well respected vCISO courageously shared a story of personal accountability during a particularly stressful event. Her story is inspiring to say the least.
As I read it though, it dawned me how the cybersecurity community struggles taking accountability for the impacts of cyber attacks. This vCISO may disagree with me, but she was in effect, calling the cybersecurity community out, for its poor accountability. And rightfully so!
Why is the cybersecurity community reluctant to take accountability for successful cyber attacks?
Isn’t it our job to protect the confidentiality, integrity, and availability of the data? Last I checked, it was.
So if data is stolen via a cyber attack, isn’t that on us? Yeah… it certainly is.
When I have this conversation with my colleagues, they invariably try to shift accountability to others parties, such as users.
Sadly, our community has become used to, and even quite good at, blaming users, leadership, the technology — even “unicorns”. But the ugly truth is, this mindset is the problem.
Parallels with safety
In safety engineering, mishaps are the result of a ‘chain of events’, one leading to the next, that culminate in accident. This is called the “safety chain”. And decades of accident investigation reports show that if any link in the chain is disrupted (“broken”), the mishap is almost always avoided.
It’s the same idea with cybersecurity. Our job to disrupt the attacker’s chain of events. When data is stolen, that means that several chances to break a link in the chain were missed. The cold hard truth is,when this happens, that outcome is on us. We failed to meet expectations. It’s not about blame. It’s simply about accountability.
Clearly, people are held accountable for attacks and damaging hacks. But being held accountable, is not the same thing as taking accountability. From a mindset perspective, the two are polar opposites.
Accountability must be part of your organizational culture. A culture of accountability shapes organizational thoughts and beliefs. Employees carry around the attitude of “not on my watch”. This attitude drives their behavior, and their behavior ultimately leads to the desired results; e.g. disrupting the chain. Unfortunately the exact opposite happens in cultures where accountability is weak or lacking. The tendency to duck from accountability, is a fundamental flaw in the organization, which will undermine every aspect of its performance.
In my world, the job is to design, build, and deliver systems that must continue to operate safely and securely, in cyber contested environments, where attacks are a given. A culture of accountability is paramount, otherwise potentially bad things could happen to some really great people.
Do we get it right all of the time? Of course not. Nobody expects us to.
Perfection is not the point. The point is taking accountability for outcomes, especially when we get it wrong.
Because that leads to better results.
Originally posted in Medium. Read the Article.