"our security is so bad that when we get hit we have to divert ambulances"
i dont want this to come off as "victim blaming" but if the head of security in that circumstance didnt have " have to divert ambulances" in their threat model as the person in charge of a healthcare org - they should be the next one in the hotseat in court getting grilled by the prosecution.
@chetwisniewski ive said for years, that you can divide security folks into two camps "people who give a shit" and "people who dont give a shit" and theres zero overlap. this venn diagram is two circles with the grand canyon inbetween them.
@Viss I had to caveat victim blaming as well last night in my latest CMU CISO lecture. I rly stress "Duty of Care" and — at some point — even tho it's crims who cause the problem — failing to account for stuff like this is a complete failure and should result in some punitive action.
@hrbrmstr i think its safe to say that its not "victim blaming" if
the person in charge of securitys JOB is to have a threat model
failure to predict what would otherwise be obvious stuff means they suck at their job
if youre the head of security of a major healthcare org and you suck at your job, thats the boards fault for hiring someone who doesnt know what theyre doing
it shows that leadership is being lazy or ignorant.
THATS what should be punished. the laziness/ignorance
Add comment