No, this isn’t about a politician’s catchphrase. It’s actually something I overheard at a conference last year. I was listening to two people sitting near me talk about a security incident that had happened at the woman’s company. “He should be fired,” was the other person’s immediate response.
This makes me wonder if we’ve got a culture problem in cybersecurity, firing should be a last resort, not a default answer.
Lots of people get fired for cybersecurity breaches. CIOs. CEOs even. But is that a good thing or a bad thing?
Don’t get me wrong, sometimes it’s the right call. Security is a leadership issue, and the business needs to strike the right balance. It’s not surprising that leaders are increasingly being held accountable for that balance. The CEO of Target was fired, in part because of not getting cybersecurity right. But firing a CEO or CIO or CISO assumes that the company will actually change as a result, otherwise those individuals are just the scapegoats that allow the company to keep the wrong balance.
And what if, instead of leading to positive changes, the firing of CEOs could have the opposite effect? The high profile firing of executives could lead to creating cultures where people don’t want to go looking for potential gaps in security because of what they might find if they go looking. If you don’t look for a breach, you don’t have to disclose it. This danger is why the SEC is requiring companies to disclose incidents, so leaders know they have an obligation to do so.
If you have a policy for firing after an incident, you need to consider the costs to fire the individual and the costs to find a replacement. It may cost HR upwards of $10,000 in recruiting fees to place an average employee, while it may cost upwards of $150,000 to place a senior executive with a search firm. The search itself could take months, and it may take months to train a replacement, which translates into lost productivity during that time. Would spending $10k or $100k of security training in the existing employee be a better investment for the company?
Fool me once, shame on me. Fool me twice…
What if the company gets hacked again? People like to focus on repeat offenders because there is a pattern of behavior, which surely means they should be punished. I’m not sure it’s as simple as that, however. We frequently tell people that it’s easy to social engineer someone or that with a little research, you can craft a spear phishing email. The repeat offense could actually be a sign, not of ignorance or untrainability, but that the offender is a more frequent target because of their position. A mature security training program should take this into account.
I argued in my book, No More Magic Wands, that rather than focus on punishment, you should focus on the opportunity to learn and change from incidents. Keeping a leader with the scars of a security incident will mean that the leader is more focused and aware of the potential issues. They understand the business, how they got where they are, giving the most potential to come up with solutions.
At the end of the day I think we all want cybersecurity to improve. But I don’t think we can adopt the attitude that everyone who doesn’t get it should get pushed out of the way. To be successful, we need to include everyone in our effort.