Who is Really to Blame for Cybersecurity Breaches?

IT departments take most of the responsibility for the company cybersecurity. However, how fair is it to charge them with 100% of responsibility for everything that happens there? Cynthia James shares her thoughts on this matter.

The vast majority of IT organizations today have a big problem: the rest of the company considers them to be 100% responsible for cybersecurity.  Holding them accountable for some aspects of cybersecurity makes sense, but they certainly can’t be considered wholly responsible.  In fact, IT staff are really in about the same position as police officers: while cops can discourage criminals and thwart some crimes, they certainly can’t be considered responsible for every successful crime that occurs. Nor is it their fault that so many people leave their doors (or mobile endpoints) unlocked and become unwitting targets. And yet, organizations very often fire someone in IT, if not the CIO, when breaches occur.

Security isn’t necessarily a hard problem to solve. If IT had complete control over the organization, they could easily ensure there were never any breaches: dig a moat around the company, throw in a hundred alligators and prohibit anything or anyone from coming in or going out. It’s simple, albeit medieval.

Of course businesses cannot function with this sort of “isolation solution”. It’s impossible for any enterprise to succeed today without multiple ingress and egress points for people, information and communication. And with all those moving parts, there are many things IT can’t control. One solution – come up with an equation that helps gauge the degree IT can or should be held accountable for cybersecurity.

Insurance companies have created good models for this: when examining a traffic accident for example, they determine precisely what percentage of blame each element involved in the crash is responsible for. The key factors might include: weather (5%), worn tires (12%), the driver’s inexperience (17%) and the pig in the intersection (66%). If we actually applied this sort of formula to any given breach of a company, we would probably have to conclude that IT is less than 20% responsible

A list of other factors to consider when assessing fault in a cyber breach include:

  • Executives don’t support employee cybersecurity training
  • Marketing has launched new “customer portals”, greatly increasing the company’s attack surface

o   The data captured from these portals is valuable to cyber-criminals

  • Executive staff are regularly spear-phished
  • Mobile policies are regularly violated

o   Employees download free apps from suspect sources

o   Employees connect personal mobile devices directly to the business network




IT rarely has the ability to constrain any of these activities, yet every single one of them compromises the company’s security.

Such a scenario is unfair to IT. But the bigger concern is that as long as IT acts as the “fall guy”, none of the other departments in the company are taking responsibility for the security ramifications of the choices they are making.

Here are a few suggestions for fixing the problem:

1.)   Publicize the responsibility equation and identify the departments and individuals who had some involvement in a breach. (A side benefit: it might actually embarrass people into following policies.)

2.)   Add a question at the bottom of every IT request that reads:

What effect will your request have on the company’s level of cyber security?

  1. Increase
  2. Decrease
  3. Neutral

At first, people may not understand the question and will leave it blank. When they learn the field is mandatory, they will choose “neutral”. IT can then step in and explain that security risk usually increases when expanding a network or collecting and storing additional valuable customer data. 

Over time, employees can be re-trained to understand the true definition of a company’s cybersecurity posture. “Security posture” is less controlled than it sounds. Yes, it’s formed by hardware, software and the hopes and dreams (aka, “mandated policies”) of the IT organization, but also shaped by the constant security choices each employee makes on a daily basis.


Cynthia James is Director of Business Development, CISSP, for Kaspersky Lab’s technology integration group.  Her career in IT spans 25 years with eight years spent in the anti-cybercrime arena. James’ speaks often on cybersecurity topics and is the author of Stop Cybercrime from Ruining Your Life!  Sixty Secrets to Keep You Safe