Hot take:

Most IT breaches these days, especially if ransomware is involved, are not a result of ingenious pranks by tech-savvy but perhaps a bit callous geeks, but instead of long-term mis-management of IT and information security at a given organization.

So... How about we replace the word "hacked" with "managed" in the context of security breaches?

"Colonial Pipeline got managed lately, causing panic-buying of petrol."

"Facebook managed again, personal details of 500mln leaked."

#infosec

Follow

@rysiek Nice. I like this angle.

Any discussion of the problem should center management anyway. Else why should they even exist?

"Security was mis-managed at Experian."

Criminals simply took advantage of that.

@erosdiscordia @rysiek Needs more active voice. "So-and-so mismanaged security at Experian leading to..."

@vortex_egg @rysiek The only reason I'd disagree with this is that it puts the onus on reporters to figure out who is responsible. That should also be management's job.

It's too easy for a fall guy to get volunteered. The media should be *questioning* the placing of blame, because that often uncovers a more interesting story.

@erosdiscordia @vortex_egg and yet one that requires repeating until reporting improves.

@rysiek @erosdiscordia I guess I over-specified. I really just meant to say "The management mismanaged the security" instead of either fingering a specific individual or instead of the responsibility-avoidant language of "The security was mismanaged..." But this is all semantics which is overshadowed by both of your very good points. 👍

@darrenpmeyer @erosdiscordia you're not wrong. And sometimes the management is doing the best they can with resources provided, especially in places like the notoriously underfunded NHS.

But that's also kind of my point. Blaming "management" for every breach that happens is somewhat silly, we can agree on that. It's *still less silly* than constantly blaming some mythical "hackers". And that keeps happening all the time.

I do prefer nuance, but if I can't have that, I'll go with "management".

@rysiek @darrenpmeyer I think a back-to-front laying of blame on management is pretty unfair. It needs to be more nuanced within the company, of course. But in terms of press coverage, would an assumption that management is to blame be harmful? Generally I think it would be the most socially positive tack. Just my two cents. I'd probably feel differently if I were a manager. ;)

@darrenpmeyer @erosdiscordia again, you're not wrong.

And yet, between criminal attackers and negligent management, it's still the magical unnamed "hackers" that constantly get the blame.

And I am just not okay with that. It paints security researchers as cybercriminals, lumps government-sponsored advanced persistent threats with wonderfully creative techies doing art in random basements, and justifies persecution of people like Aaron Swartz.

This is simply unacceptable.

@darrenpmeyer @erosdiscordia you can insist all you want that those who make negligent decisions leading to security breaches (and then walk away with fat bonuses anyway), and the customers, users, and patients whose data gets stolen and milked for years, are both "victims". I ain't buying that.

So, just to be clear: nobody is suggesting blaming the victims, because management in such major breaches (such breaches that would grab media attention) is almost never actually a victim.

Sign in to participate in the conversation
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.