Questions are the answers

November 11, 2015 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

How to avoid becoming the blamed victim

I stare into my coffee mug. I’m not even paying attention to what Bill, the CEO, is saying and wonder if his soul is black and bitter like my brew.

He doesn’t look like he’s slept well for the last two days. I notice a small stain on the cornflower blue tie that hangs loosely as the button on the top of his shirt is undone – causing his goose-like sagging chin to wiggle with every word.

His company has been breached and now he wants some advice. It would be mildly interesting if this were my first rodeo. In reality, it’s beginning to feel like the daily merry-go-round. The process is almost too familiar by now – I have it all mapped out in my head in six simple steps:

  1. $Company gets breached ->
  2. $Company states it takes security seriously ->
  3. Customers don't fully understand what has happened ->
  4. $Company offers a years free credit checking for its customers ->
  5. Security professionals comment on how lax $company was at security ->
  6. Rinse repeat.

I look up at Bill. He’s leaning in and looking straight at me, palms facing me – he pauses to give himself the chance to compose himself. He must have read a book on how to build rapport and is pulling out all the stops to come across as likeable as humanly possible.

“You tell me… Imagine you returned home to discover you’d been burgled. All you prized possessions were stolen or vandalised. You would not be pleased if I sat here and accused you of being responsible for being burgled. No, I’d sympathise with you! Victim-blaming doesn’t help!”

Ah, the old victim-blaming argument. I recall the definition from Wikipedia that states victim blaming occurs when the victim of a crime or any wrongful act is held entirely or partially responsible for the harm that befell them.

The problem is that his analogy falls apart on closer inspection. Maybe I would have been more sympathetic had this not been the fourth breach the company had suffered in 18 months.

I try to muster up as much empathy as I can. “Bill, this is an unfortunate situation, but let’s look at it like this. Say I’m a bank and you can deposit your cash with me. I do not have a safe or vault; rather, I keep all the deposited cash in a cardboard box under my desk. You tell me that the box isn’t safe, but I tell you it’s perfectly fine. Then one day, while I’m out on my lunch break, someone steals the box from under my desk. Of course the thief is ultimately the wrongdoer, but you would hold me accountable for not placing the cash in a secure location or taking other measures when I left it unattended as I went for lunch. You'd be right to feel that I've violated your trust.

And therein lies the difference between holding someone accountable and victim-blaming.”

Bill’s face turns a shade of crimson as if he’s about to blow a gasket. He opens his mouth a couple of times as if to say something, but shows remarkable self-restraint. The silence feels like it lasts an eternity.

My colleague Tony finally breaks the tension. “When a company suffers a data breach, it is often difficult to piece together what exactly happened and how. Often times a company can remain blissfully unaware that it has suffered any breach until the attackers publicly disclose the fact. So, when a breach does occur, companies can be seen to respond poorly and incur the wrath of customers as well as be blasted by industry experts for being clueless.”

I respect Tony. He’s instinctively playing the good cop to help ease the transition for Bill. Tony continues,

“Having your company held accountable is a good thing. But being labelled as negligent or incompetent when it comes to safeguarding data is not a pretty allegation. In order to minimise the likelihood of this occurring, you need to be in a state of readiness before, during, and after a breach.“

Bill half-raises an eyebrow. “And what exactly is this state of readiness? And don’t tell me I have to spend millions on security technology.”

“You have to ask questions,” I say. “Questions before, during, and after a breach. If you ask the right questions at the right time, you’ll be able to make better decisions than the knee-jerk ones you’ve been making.”

“And what might those questions be?” Asks Bill with a burst of enthusiasm that was previously lacking.

“I thought you’d never ask”.

The questions

blaming-victim-in-data-breach-questions-to-ask-yourself

Javvad Malik

About the Author: Javvad Malik

The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.

Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
Get Price Free Trial