CISOs call to ditch the 'stigma of blame' in cybersecurity

Ditching ‘Humans are the weakest link’

Tom Allen
clock • 2 min read
CISOs call to ditch the 'stigma of blame' in cybersecurity

We have to protect our people as much as our networks, and that means looking after their mental health as well as their security education.

We talk about the technical side of cyber - can we defend ourselves, our network, our data? How will AI change the game? What new vulnerabilities are the attackers exploiting? - so much that we sometimes forget about the most important part. Or, as one CISO put it: 

"We all talk about people, process, technology trifecta. Many of us overload on the latter two, but don't do enough for the people." 

That was Bronwyn Boyle, CISO at fintech PPRO, speaking during a panel discussion at Computing's Cybersecurity Festival 2024. 

Working in cyber can become "overwhelming" for people in the industry, with an inevitable effect on their mental health – up to and including leaving the sector entirely. It's why Bronwyn is involved with Cybermindz, a group aimed at helping cybersecurity professionals manage the increasing stresses of the job. 

"The number of job openings in cyber is huge, and the number of people who can fill those gaps is small," said Sam Woodcock, senior director of cloud strategy and enablement at 11:11 Systems. "Looking after their mental health and enabling them to feel to your competitive advantage." 

Sam's company runs phishing tests on its own employees. This controversial practice has been criticised for harming productivity while adding little to security, but 11:11 has a different goal in mind: to identify weaknesses, educate staff and, most importantly, emphasise that they shouldn't feel ashamed of making a mistake. 

"We would never blame somebody who was mugged," said Bronwyn. "We would never blame somebody that had their car broken into. And yet, for some reason, there's still quite a strong stigma of blame and shame in cyber incidents. 

"If I could take one phrase out of our lexicon, it would be ‘humans are the weakest link.' You just have to stop thinking like that... 

"With the technology available...any one of us can fall for a sophisticated attack. Taking that shame out of the equation is so important." 

Nick Ioannou, information security manager at Goodlord, has his own approach to tackling shame, which he calls "fraud huddles." 

"I reached out to everyone asking if anyone had been defrauded. Four people stepped forward... They were all engineers and product managers, highly technical and literate people. [It proved that] anyone can fall victim; anyone can be fooled. Showing that to everyone gave more people the courage to come forward." 

One of GoodLord's own founders was targeted in a spear phishing attack over Christmas: a story Nick shared with the company "to show even the founders could be a victim." 

"Attackers," said Bronwyn, "are relentless... The asymmetry between attack and defence is getting bigger and bigger." 

That's why more companies are formalising processes and removing the ability for managers to override security decisions. 

"Make sure nobody is ever reprimanded for saying, 'This is the correct process'," said Nick. 

"And don't take instructions for £26 million over Zoom," Bronwyn added.

You may also like
Check Point releases emergency fix for VPN zero-day

Threats and Risks

Patches actively exploited flaw

clock 30 May 2024 • 2 min read
Rugby Union investigates 70,000-member data leak

Threats and Risks

Leaky S3 bucket has since been plugged

clock 28 May 2024 • 2 min read
Police service faces £750k fine for data breach

Threats and Risks

ICO reduces PSNI fine from £5.6 million

clock 24 May 2024 • 2 min read

More on Security

Asian Tech Roundup: Pressure grows in US-China trade war

Asian Tech Roundup: Pressure grows in US-China trade war

Plus: Google 'accidentally' deletes pension fund's cloud account

Tom Allen
clock 17 May 2024 • 4 min read
Maritime security: 'Hacking a ship is just like hacking a Tesla but bigger'

Maritime security: 'Hacking a ship is just like hacking a Tesla but bigger'

Cyberattacks on shipping up 400-500% in five years, Lloyds List Intelligence

John Leonard
clock 16 May 2024 • 4 min read
Tories self-refer to ICO over data breach

Tories self-refer to ICO over data breach

Revealed hundreds of personal email addresses by forgetting to BCC

Tom Allen
clock 15 May 2024 • 2 min read