Putting the victim on trial. Decades ago we learned to stop putting victims of sexual abuse, domestic violence and rape “on trial”. Well, mostly anyhow. But we, mostly, stopped blaming the girl because she wore a short skirt or went to a bar and flirted with guys. These days we don’t try and say that the domestic violence victim invited the abuse or they were at fault for not speaking up in the first place. And so forth. But there’s a community that, I am sad to say, spends a lot of time blaming the victims of crime.
In the Information Security community there is a tendency to blame the victim first, rather than the criminal. And as soon as that starts to work, much of the community begins to pile on like sharks smelling blood in the water.
I’m not even going to name all the times this has happened and give examples. We all know about the retail company, the coffee company, the software company …. the list goes on and on …. that didn’t have perfect security, got victimized by a criminal, and we tore into them for “the thing they didn’t do”. This is so wrong, I don’t know where to start.
Well, yes, I do. I’m going to start with this. It does not matter if the company in question had absolutely no security, or not. They are the victim of criminal behavior. Blaming the victim for the behavior of the criminal is completely, totally wrong. It is not that software company’s fault that they were attacked by an evildoer.
If we information security “professionals” want to be professionals, and we want to be a mature community, we need to change this. We need to learn to blame the criminal and support the victim.
Yes, the victim undoubtedly needs to improve their security. It’s important as part of protecting the company and the customers of the company. It should be a crucial part of the company’s strategy and security should absolutely get visibility from both the CEO and the Board. And the community of Information Security professionals should be providing quality input and advice on how to make things better.
But tearing the victim down for how bad they are, following up breaches and attacks saying the company is not responsible, didn’t do the right things, puffing up our chests and telling everyone how much we know, and so on. That’s just wrong. And un-professional. And immature. It’s like saying that the only way the girl is not at fault for the assault is if she stayed at home, doors locked and bolted, wearing a suit of armor and carrying a shotgun. Perfect security, indeed, but completely unrealistic and wrong. She wasn’t the criminal.
You want security to be better, to be respected, to have CEO’s listen? Then you need to grow up InfoSec … go after the bad guys, blame them, hold them responsible. Support the victims, help them to recover and to be better prepared in the future.