Accountability in Cybersecurity

Photo by Saúl Bucio on Unsplash

The effects of ransomware attacks and the SolarWinds hack continue to ripple throughout the country, with a lot of focus being place on preventing future attacks. Unfortunately, until we resolve an ugly problem with accountability in cybersecurity, history is doomed to repeat itself.

On LinkedIn, a well respected vCISO courageously shared her views on personal accountability during a particularly stressful event. Her story was inspiring to say the least. And as I read it though, it dawned me that the cybersecurity community struggles with taking accountability for the impacts of cyber attacks. This vCISO may disagree with me, but she is in effect, calling out the cybersecurity community, for its weak accountability. And rightfully so!

Why is the cybersecurity community reluctant to take accountability for successful cyber attacks?

Isn’t it our job to protect the confidentiality, integrity, and availability of the data? Last I checked, it is.

And if data is stolen via a cyber attack, isn’t that ultimately on us? It certainly is.

When I have this conversation with my colleagues, they invariably try to shift accountability to others parties, primarily users. Sadly, the community has become used to, and even quite good at, blaming users, leadership, the technology — even “unicorns”. But the ugly truth is, this mindset is the problem.

In safety engineering, mishaps are the results of a ‘chain of events’, one leading to the next, that culminate in accident. This is called the “safety chain”. And decades of accident investigation reports show that if any link in the chain is disrupted (“broken”), the mishap is almost always avoided.

It’s the same idea with cybersecurity. Our job is to disrupt the attacker’s chain of events. When data is stolen, that means several chances to break a link in the chain were missed. The cold hard truth is, when that happens, that outcome is on us. We failed to meet expectations. It’s not about blame. It’s simply about accountability.

Clearly, people are held accountable for attacks and damaging hacks. But being held accountable, is not the same thing as taking accountability. From a mindset perspective, the two are polar opposites.

Accountability must be part of your organizational culture. A culture of accountability shapes organizational thoughts and beliefs. Employees carry around the attitude of “not on my watch”. This attitude drives their behavior, and their behavior ultimately leads to the desired results; e.g. disrupting the chain. Unfortunately the exact opposite happens in cultures where accountability is weak or lacking. The tendency to duck from accountability, is a fundamental flaw in the organization, which will undermine every aspect of its performance.

In my world, the job is to design, build, and deliver systems that must continue to operate safely and securely, in cyber contested environments, where attacks are a given. A culture of accountability is paramount, otherwise potentially bad things could happen to some really great people.

Do we get it right all of the time? Of course not. Nobody expects us to.

Perfection is not the point. The point is taking accountability for outcomes, especially when we get it wrong.

Because that leads to better results.