CISOs call to ditch the 'stigma of blame' in cybersecurity

Ditching ‘Humans are the weakest link’

Tom Allen
clock • 2 min read
CISOs call to ditch the 'stigma of blame' in cybersecurity

We have to protect our people as much as our networks, and that means looking after their mental health as well as their security education.

We talk about the technical side of cyber - can we defend ourselves, our network, our data? How will AI change the game? What new vulnerabilities are the attackers exploiting? - so much that we sometimes forget about the most important part. Or, as one CISO put it: 

"We all talk about people, process, technology trifecta. Many of us overload on the latter two, but don't do enough for the people." 

That was Bronwyn Boyle, CISO at fintech PPRO, speaking during a panel discussion at Computing's Cybersecurity Festival 2024. 

Working in cyber can become "overwhelming" for people in the industry, with an inevitable effect on their mental health – up to and including leaving the sector entirely. It's why Bronwyn is involved with Cybermindz, a group aimed at helping cybersecurity professionals manage the increasing stresses of the job. 

"The number of job openings in cyber is huge, and the number of people who can fill those gaps is small," said Sam Woodcock, senior director of cloud strategy and enablement at 11:11 Systems. "Looking after their mental health and enabling them to feel positive...is to your competitive advantage." 

Sam's company runs phishing tests on its own employees. This controversial practice has been criticised for harming productivity while adding little to security, but 11:11 has a different goal in mind: to identify weaknesses, educate staff and, most importantly, emphasise that they shouldn't feel ashamed of making a mistake. 

"We would never blame somebody who was mugged," said Bronwyn. "We would never blame somebody that had their car broken into. And yet, for some reason, there's still quite a strong stigma of blame and shame in cyber incidents. 

"If I could take one phrase out of our lexicon, it would be ‘humans are the weakest link.' You just have to stop thinking like that... 

"With the technology available...any one of us can fall for a sophisticated attack. Taking that shame out of the equation is so important." 

Nick Ioannou, information security manager at Goodlord, has his own approach to tackling shame, which he calls "fraud huddles." 

"I reached out to everyone asking if anyone had been defrauded. Four people stepped forward... They were all engineers and product managers, highly technical and literate people. [It proved that] anyone can fall victim; anyone can be fooled. Showing that to everyone gave more people the courage to come forward." 

One of GoodLord's own founders was targeted in a spear phishing attack over Christmas: a story Nick shared with the company "to show even the founders could be a victim." 

"Attackers," said Bronwyn, "are relentless... The asymmetry between attack and defence is getting bigger and bigger." 

That's why more companies are formalising processes and removing the ability for managers to override security decisions. 

"Make sure nobody is ever reprimanded for saying, 'This is the correct process'," said Nick. 

"And don't take instructions for £26 million over Zoom," Bronwyn added.

Related Topics

You may also like
Cyber? We can't get the staff say UK IT leaders

Security

Cyber? We can't get the staff say UK IT leaders

'Just having some more bodies in the team would be useful'

clock 05 July 2024 • 3 min read
Hackers apologise after crippling Indonesia's datacentres

Hacking

Hackers apologise after crippling Indonesia's datacentres

Group says it carried out a penetration test 'with post-payment'

clock 05 July 2024 • 2 min read
Intel processors threatened by new CPU side channel attack

Threats and Risks

Intel processors threatened by new CPU side channel attack

Exploits weaknesses in two key components

clock 03 July 2024 • 2 min read
Tom Allen
Author spotlight

Tom Allen

View profile
More from Tom Allen

Election special, with Mark Ridley - Ctrl Alt Lead podcast

Announcing the winners of the Digital Technology Leaders Awards 2024

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

Get the newsletter

More on Security

Cyber? We can't get the staff say UK IT leaders
Security

Cyber? We can't get the staff say UK IT leaders

'Just having some more bodies in the team would be useful'

John Leonard
John Leonard
clock 05 July 2024 • 3 min read
Microsoft 365 emails vulnerable to newly discovered exploits
Security

Microsoft 365 emails vulnerable to newly discovered exploits

Security woes continue

Penny Horwood
Penny Horwood
clock 20 June 2024 • 2 min read
Cyber gang shifts focus to SaaS apps
Security

Cyber gang shifts focus to SaaS apps

‘Scattered Spider’ is targeting vSphere, Salesforce, Crowdstrike and more

Vikki Davies
clock 18 June 2024 • 2 min read