Why “Who’s to Blame?” is the Wrong Question

4 min read
(April 4, 2024)

In cyber security we talk a lot about blame. Yes, we worry about malware and ransom attacks, about threat monitoring and response, about securing operations, about permissions and access, but all too often, when we think about cyber security we think about incidents and “who’s to blame?”.

In the recent news, the UK Deputy Prime Minister, Oliver Dowden, blamed Chinese groups for two cyber-attacks and said the UK and international partners would expose China for "ongoing patterns of hostile activity".

With cyberattacks increasingly targeting operational technology (OT) networks using ransomware (the number of attacks with physical consequences increased by nearly 20% in 2023), manufacturing and utilities have emerged as highly vulnerable and interestingly, they are blaming inadequate security budgets.

It’s human nature to seek a cause for the effect and to want to apportion blame. If we can blame something then we can take direct steps to address it. But when the hackers are to blame, or inadequate budgets are to blame, or the employee who clicked the malicious link is to blame, or the CISO or CIO are to blame, there are too many conflicting answers. Perhaps then the question, “who is to blame?” is the wrong question for cyber security to try to answer. So what is the right question?

To shed some light, I had the pleasure of participating in the recent DTX Cyber Leaders Summit in London. The keynote presentations, panel discussions and fireside chats focused on tackling the challenges of security operations, defining security strategy and coming to terms with AI and geopolitical cyber warfare. Senior cyber security leaders, including CIOs and CISOs, connected, discussed and collaborated on key challenges. This was the perfect place to get to the right questions to ask. I was participating as a panel moderator and as a prior CIO, both in Canada and in the UK, I understand that answering the right question is important not only to cyber leaders but to Chief Executives and the Board.

Faced with increasing cyber threats and increasing sophistication from hackers equipped with AI, it is easy to get sucked into responses that deal with blame. Who is at fault and what can be done about it? It’s easy for Boards and CEOs to get fixated here. A big part of the role of the CIO and CISO is to relate the security strategy to clear and measurable business outcomes. But how can we best do that without defaulting to wanting to apportion blame?

Changing Culture and Aligning with the Business

The discussions at the cyber leaders summit focused on changing culture and engaging and aligning with the business. Creating ‘safety’ for employees in order to change culture and behaviour was a key theme. The idea of ‘nudging’ people to do the right thing, around creating a ‘choice architecture’ came up in one of the fireside chats. The idea is that soft, parentalistic steering of behaviour, taking context and timing into consideration can elicit cultural changes that address cyber problems before they become incidents.

The idea of creating ‘safety’, the ability to fail and to learn from failure, is also the topic of a great book I’ve been reading by Matthew Syed called ‘Blackbox Thinking’. The premise here is that success can only happen by confronting mistakes and that a cornerstone to success is a progressive attitude to failure, without a focus on blame. The title is inspired by aviation, where the use of black box recorders and the commitment as an entire industry to learn from the data associated with incidents, has perpetuated an astonishingly good safety record because mistakes are learned from rather than concealed. However, in both human psychology and in society, there is a deeply contradictory attitude to failure. Even as we find excuses for our own failings, we are quick to blame others. It is human nature and has been amplified in society.

When we think about learning from failure in cyber security, we often rely on compliance. If we fulfil all the compliance criteria then we are ‘safe’ and if we don’t, someone is to blame. But compliance does not automatically result in changed outcomes (reduced risk, fewer incidents etc.). Think about staff education. Training staff on cyber security is important, but only if it is changing outcomes. The fact that 87% (or 93% or 99.9%) of an organisation completed cyber awareness training does not matter if that knowledge is not being absorbed and applied at the right time. I remember a situation when a staff member who shared their network credentials in response to an annual phishing attempt, went through the mandatory online and then in-person training and at the end still asked when they would get the 50% discount on equipment promised in the phishing email! We are wasting scarce resources and attention when we invest in things that do not impact outcomes.

How to Shift Behaviours in Measurable Ways

A key takeaway from the cyber leaders summit was the willingness to explore how to impact outcomes and how to shift behaviours in measurable ways. Beyond the playbooks and attack surfaces, security operations, zero trust, compliance and AI, discussions on these fundamental questions are those that will move our industry forward. As cyber leaders we need to help our C-Suite and Boards explore how we can get beyond “who’s to blame?” and share learnings from failures across our industry (as we do around threats).

Having a progressive attitude to failure turns out to be a cornerstone of success for any institution and thinking about human behaviour, making it easy for people to do the right thing rather than being punitive when things go wrong, should be a fundamental consideration in cyber security.

If the question, “who’s to blame?” is the wrong question, then a better question to ask is, “what are failures telling us about human behaviour?” and “what can we do about that?” and that is exactly what I heard in those cyber leader discussions.

I’m reminded that ‘Human Behaviour’ was Bjork’s debut single, topping the pop chart in Iceland the UK in late 1993. And as that Icelandic woman says, in a song that is now firmly stuck in my head, “There's definitely, definitely, definitely no logic to human behaviour”.