By now, I am sure that everyone in the cybersecurity business has seen the news about the (former) CEO of SolarWinds blaming an Intern for the lame password that enabled the attack. At the risk of piling on, this reminds me of a story from long ago (the early-to-mid 2000's I think).
After one of the many security incidents that hit the Defense Department, I talked with a senior officer in the affected organization. In his best command voice, he said, “We need to find the person that failed to install that patch and left us exposed to attack – we need to make an example of them!“
In my best techno-geek voice, which is not particularly commanding, I politely replied, “Sir, any enterprise that puts its fate into the hands of the lowest paid, least trained, and most poorly equipped part of its workforce doesn’t have bad people, that enterprise is guilty of bad strategy.”
We had a friendly discussion afterward (whew!). My point: that 20-year-old tech school graduate is trying to operate complex technology, under terrible conditions, using bronze age tools, and given conflicting requirements (“Take the server down to patch it? But email is Mission Essential!”)
Of course, we need to set performance expectations, and we need to hold people accountable for their actions or failures. But at that point in history, my observation (based on results from NSA Red and Blue Teams, etc.) was that DoD IT operations were still a bit of a Wild West patchwork of policies, purchasing, configuration, and management. We were overwhelmed with IT problems that needed to be understood and solved at the enterprise level, not by whacking moles ever faster. I nudged the conversation toward what the Air Force was doing to standardize IT purchasing, the development of standard security configuration baselines, and the early attempts to normalize the data and technology that would allow IT and security management automation.
I‘m not sure that I changed any heart or minds during the conversation, but maybe I bought some young IT wizard some time and space.