CISOs call to ditch the 'stigma of blame' in cybersecurity

Ditching ‘Humans are the weakest link’

Tom Allen
clock • 2 min read
CISOs call to ditch the 'stigma of blame' in cybersecurity

We have to protect our people as much as our networks, and that means looking after their mental health as well as their security education.

We talk about the technical side of cyber - can we defend ourselves, our network, our data? How will AI change the game? What new vulnerabilities are the attackers exploiting? - so much that we sometimes forget about the most important part. Or, as one CISO put it: 

"We all talk about people, process, technology trifecta. Many of us overload on the latter two, but don't do enough for the people." 

That was Bronwyn Boyle, CISO at fintech PPRO, speaking during a panel discussion at Computing's Cybersecurity Festival 2024. 

Working in cyber can become "overwhelming" for people in the industry, with an inevitable effect on their mental health – up to and including leaving the sector entirely. It's why Bronwyn is involved with Cybermindz, a group aimed at helping cybersecurity professionals manage the increasing stresses of the job. 

"The number of job openings in cyber is huge, and the number of people who can fill those gaps is small," said Sam Woodcock, senior director of cloud strategy and enablement at 11:11 Systems. "Looking after their mental health and enabling them to feel positive...is to your competitive advantage." 

Sam's company runs phishing tests on its own employees. This controversial practice has been criticised for harming productivity while adding little to security, but 11:11 has a different goal in mind: to identify weaknesses, educate staff and, most importantly, emphasise that they shouldn't feel ashamed of making a mistake. 

"We would never blame somebody who was mugged," said Bronwyn. "We would never blame somebody that had their car broken into. And yet, for some reason, there's still quite a strong stigma of blame and shame in cyber incidents. 

"If I could take one phrase out of our lexicon, it would be ‘humans are the weakest link.' You just have to stop thinking like that... 

"With the technology available...any one of us can fall for a sophisticated attack. Taking that shame out of the equation is so important." 

Nick Ioannou, information security manager at Goodlord, has his own approach to tackling shame, which he calls "fraud huddles." 

"I reached out to everyone asking if anyone had been defrauded. Four people stepped forward... They were all engineers and product managers, highly technical and literate people. [It proved that] anyone can fall victim; anyone can be fooled. Showing that to everyone gave more people the courage to come forward." 

One of GoodLord's own founders was targeted in a spear phishing attack over Christmas: a story Nick shared with the company "to show even the founders could be a victim." 

"Attackers," said Bronwyn, "are relentless... The asymmetry between attack and defence is getting bigger and bigger." 

That's why more companies are formalising processes and removing the ability for managers to override security decisions. 

"Make sure nobody is ever reprimanded for saying, 'This is the correct process'," said Nick. 

"And don't take instructions for £26 million over Zoom," Bronwyn added.

You may also like
Transport for London hit by cyber incident

Hacking

Services unaffected

clock 03 September 2024 • 1 min read
Researchers ID security risks in GenAI development platforms

Threats and Risks

Exposes sensitive company data

clock 29 August 2024 • 2 min read
IT Essentials: Winning hearts and minds

Management

It starts with convenience

clock 27 August 2024 • 3 min read
Most read
01

Avis notifies customers of data breach

10 September 2024 • 3 min read
03

Apple says iPhone 16 can challenge high-end PCs

10 September 2024 • 4 min read
04

In the North Sea, data really is the new oil

10 September 2024 • 5 min read
05

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Microsoft offers advice on avoiding another CrowdStrike-style outage

Microsoft offers advice on avoiding another CrowdStrike-style outage

Vendors should minimise use of kernel mode, customers should make full use of integrated Windows security features

John Leonard
clock 29 July 2024 • 3 min read
'Gay furry hackers' breach conservative US think tank behind Project 2025

'Gay furry hackers' breach conservative US think tank behind Project 2025

Heritage Foundation calls group "degenerate perverts"

Tom Allen
clock 11 July 2024 • 2 min read
Why 'change' for the UK must include cybersecurity

Why 'change' for the UK must include cybersecurity

Labour needs to to get ahead and demonstrate a commitment to security from the outset

Rick Jones
clock 11 July 2024 • 4 min read