Shooting the messenger

An article by Wendy Goucher in the latest edition of the Computer Fraud & Security Journal entitled “Shooting the Messenger”  caught my attention. It discusses organisational blame culture around reporting of information security incidents, Wendy states that “Current business culture is such that should any problem arise blame is apportioned so that the miscreant can be spoken to strongly by their line manager. If there is no obvious or clear person to blame then one must be found. ” This produces a challenge with regards to security because we want to encourage problems to be reported.

In fact, the scale of the problem increases when we have an organisation operating in different parts of the world. Encouraging issues to be reported is not something that’s warmly embraced where the regional culture is one of not wanting to be seen to be making mistakes and creating problems. My tact has been to challenge parts of the business to actively seek and explore issues and therefore demonstrate that they understand security and take it seriously. But I’ll admit that there’s no quick win and it’s hard work to start getting people to open up when, as Wendy says, reducing the blame reflex is not something that a manager or department can decide to do autonomously.

The article goes on to discuss the fact that the person who spots the problem and reports it is often not the person who caused it. But often they are going to be the one in the firing line. For example, a security guard who discovers a break-in might be asked why he didn’t verify that alarms were activated, a network analyst discovering an intrusion might be asked why he didn’t spot that a firewall port was open, and so on. Having a culture of blame within the organisation will be detrimental to incidents being reported and more likely to encourage cover-ups.

Wendy’s article closes by stating that there is some comfort in being able to point the finger of blame for a mistake at someone else…However, it does not help the person responsible for information security identify where the system is weakest and therefore prevent future such events from happening.

My fellow blogger David Lacey pointed out some time ago the growing importance of human factors in today’s security and IT problem space. This extends to much more than just security awareness but right through the organisation and the way that we deal with people when issues arise.

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

Hi Stuart, Just found this by the good security practice of Googling myself (though clearly I don't do that often enough). I am so glad that someone reads my articles from time to time- and that they provoke thought. I think that this problem, of not being the one who wants to find the flaw that costs the business money, is only going to get worst now budgets are tightening. However, as more people are motivated to try and 'make a fast buck' by exploiting weakness, it has never been more important to invest a little time and effort at looking at the human links in our systems. I hope my articles continue to occasionally give you pause for thought. Regards Wendy
Cancel
Thanks Wendy - just read your submission to the latest edition of CF&S too...
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close