A CISO once “joked” to me that he kept his work area so clean and tidy because he didn’t want to get too settled in. In the inevitable event of a breach, he would be the scapegoat and be walked out the door. He didn’t want to have too much to carry on his walk of shame.

More and more these days we’re hearing about data breaches on both small and large scales. Equally we are hearing about larger and larger penalties and fines being imposed for these breaches, particularly in cases that involve personal data.

But are fines a productive method of improving the overall security risk landscape? On one hand, they can certainly help in putting Cyber Risk higher up on the list of priorities for businesses to address. On the other hand, who knows how many breaches go unreported in order to avoid fines or retribution? This is a fairly common side-effect of negative re-enforcement

When something goes wrong, many are quick to look for someone to take the blame. As a result, many people spend a lot of energy keeping the finger pointed away from themselves. In the end this means we all lose the opportunity to learn and improve.

Fines and penalties for cases of clear and avoidable negligence make sense. Parties that actively avoid communicating identified breaches are included in this category. But in general, active breach reporting should be encouraged.

So, about that negligence – How seriously do you take Cyber Security in your business? If your answer is “Umm…” or “we have some Insurance” or some other kind of bandaid “solution”, then it’s strongly advised that you start to take this seriously. After all, Ignorance is no defence.

We live and breath this, tell us what you think?