Eric Chabrow has put together a thoughtful piece on the aftermath of data breaches. Who gets blamed? Should they get blamed? What is the takeaway from the event?
The article correctly points out that we are in an environment where security perfection is impossible. That said, the news of a breach often begs the question of who is to blame. Assigning blame allows us to 'move on', as it were, but it is a counterproductive question, in many cases. Who should be held accountable for a lost laptop? The employee? The IT manager who wasn't tracking the asset? The CIOs or CISOs for not having enforceable guidelines and training on laptop security? Who, if anyone, should be held accountable for data breaches of any sort?
We like to play the blame game, but as Eric Chabrow points out, perhaps it's more important to exploit the lessons learned from breaches and move on. Disciplining or firing people may not prevent future losses - in fact, there's an argument to be made that the loss of knowledge learned from the incident would be detrimental to future security planning.
Many articles are referenced in this piece about the changing dynamics in the blame game for security incidents. I, too, am interested to see how these dynamics will play out over the next couple of years.