CISOs call to ditch the 'stigma of blame' in cybersecurity

CISOs call to ditch the 'stigma of blame' in cybersecurity

We have to protect our people as much as our networks, and that means looking after their mental health as well as their security education.

We talk about the technical side of cyber - can we defend ourselves, our network, our data? How will AI change the game? What new vulnerabilities are the attackers exploiting? - so much that we sometimes forget about the most important part. Or, as one CISO put it:

"We all talk about people, process, technology trifecta. Many of us overload on the latter two, but don't do enough for the people."

That was Bronwyn Boyle, CISO at fintech PPRO, speaking during a panel discussion at Computing's Cybersecurity Festival 2024.

Working in cyber can become "overwhelming" for people in the industry, with an inevitable effect on their mental health – up to and including leaving the sector entirely. It's why Bronwyn is involved with Cybermindz, a group aimed at helping cybersecurity professionals manage the increasing stresses of the job.

"The number of job openings in cyber is huge, and the number of people who can fill those gaps is small," said Sam Woodcock, senior director of cloud strategy and enablement at 11:11 Systems. "Looking after their mental health and enabling them to feel positive...is to your competitive advantage."

Image
Figure image
Description

Sam's company runs phishing tests on its own employees. This controversial practice has been criticised for harming productivity while adding little to security, but 11:11 has a different goal in mind: to identify weaknesses, educate staff and, most importantly, emphasise that they shouldn't feel ashamed of making a mistake.

"We would never blame somebody who was mugged," said Bronwyn. "We would never blame somebody that had their car broken into. And yet, for some reason, there's still quite a strong stigma of blame and shame in cyber incidents.

"If I could take one phrase out of our lexicon, it would be ‘humans are the weakest link.' You just have to stop thinking like that...

"With the technology available...any one of us can fall for a sophisticated attack. Taking that shame out of the equation is so important."

Nick Ioannou, information security manager at Goodlord, has his own approach to tackling shame, which he calls "fraud huddles."

"I reached out to everyone asking if anyone had been defrauded. Four people stepped forward... They were all engineers and product managers, highly technical and literate people. [It proved that] anyone can fall victim; anyone can be fooled. Showing that to everyone gave more people the courage to come forward."

One of GoodLord's own founders was targeted in a spear phishing attack over Christmas: a story Nick shared with the company "to show even the founders could be a victim."

"Attackers," said Bronwyn, "are relentless... The asymmetry between attack and defence is getting bigger and bigger."

That's why more companies are formalising processes and removing the ability for managers to override security decisions.

"Make sure nobody is ever reprimanded for saying, 'This is the correct process'," said Nick.

"And don't take instructions for £26 million over Zoom," Bronwyn added.