Blaming the Victim for the Crime

Putting the victim on trial. Decades ago we learned to stop putting victims of sexual abuse, domestic violence and rape “on trial”. Well, mostly anyhow. But we, mostly, stopped blaming the girl because she wore a short skirt or went to a bar and flirted with guys. These days we don’t try and say that the domestic violence victim invited the abuse or they were at fault for not speaking up in the first place. And so forth. But there’s a community that, I am sad to say, spends a lot of time blaming the victims of crime.

In the Information Security community there is a tendency to blame the victim first, rather than the criminal. And as soon as that starts to work, much of the community begins to pile on like sharks smelling blood in the water.

I’m not even going to name all the times this has happened and give examples. We all know about the retail company, the coffee company, the software company …. the list goes on and on …. that didn’t have perfect security, got victimized by a criminal, and we tore into them for “the thing they didn’t do”. This is so wrong, I don’t know where to start.

Well, yes, I do. I’m going to start with this. It does not matter if the company in question had absolutely no security, or not. They are the victim of criminal behavior. Blaming the victim for the behavior of the criminal is completely, totally wrong. It is not that software company’s fault that they were attacked by an evildoer.

If we information security “professionals” want to be professionals, and we want to be a mature community, we need to change this. We need to learn to blame the criminal and support the victim.

Yes, the victim undoubtedly needs to improve their security. It’s important as part of protecting the company and the customers of the company.  It should be a crucial part of the company’s strategy and security should absolutely get visibility from both the CEO and the Board. And the community of Information Security professionals should be providing quality input and advice on how to make things better.

But tearing the victim down for how bad they are, following up breaches and attacks saying the company is not responsible, didn’t do the right things, puffing up our chests and telling everyone how much we know, and so on. That’s just wrong. And un-professional. And immature. It’s like saying that the only way the girl is not at fault for the assault is if she stayed at home, doors locked and bolted, wearing a suit of armor and carrying a shotgun. Perfect security, indeed, but completely unrealistic and wrong. She wasn’t the criminal.

You want security to be better, to be respected, to have CEO’s listen? Then you need to grow up InfoSec … go after the bad guys, blame them, hold them responsible. Support the victims, help them to recover and to be better prepared in the future.

Advertisements

About Eric Cowperthwaite

Nearly 30 year security professional, 11 years in the US Army, and another 18 in the civilian world. Worked for EDS for 9 years, then for Providence Health & Services as their CSO for 7 years. Now I work for CORE Security as their VP, Advanced Security & Strategy. This blog is not just about security, either physical or information. You can expect to read about cigars, my life, things I think are funny and much more. And I will rail about the FUD that so many security practitioners toss around on a regular basis. Plus, once in a great while, I might actually share a thought or two about security. Did I mention that I will probably blog about cigars? Just to be clear, nothing that I write here represents the position or opinion of my employer. Nothing I write here is proprietary or confidential to my employer. Everything I write here is my personal opinion.
This entry was posted in General and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s