The Crisis of Personal Responsibility & Accountability (More Laptops Stolen)

Paul Bridges has a quick recap of the latest “breaches” involving stolen laptops at his new blog. As a college student interested in Security, I’m impressed with his initial posts and hope he maintains the momentum and helps shape the future of security professionals.

In his post, Another laptop stolen more identities at risk, he covers some of the latest breaches that have caused a lot of headache for those affected. As I was reading the summary, I found myself shaking my head and wondering why we allow this.

Why does this continue?

I’m probably going to discuss this in an upcoming podcast ( — but what bothers me is that I don’t see anyone actually step up and take responsibility. I have noticed a few trends in the recent breaches (tell me if this sounds familiar):
• commonly, but not always, seems to be a contractor
• *ALWAYS* some sort of mistake beyond company policy
• *ALWAYS* assessed to have minimal impact
• *SOME* safeguard was always claimed to be in place

What intrigues me is the way we allow this to happen. As a professional coach and speaker, many of my clients have engaged me to work with their employees to encourage them to start taking personal responsibility for their data and systems. Over the course of the last year, I have learned in the beginning of my time with a group that many believe the recent breaches and problems are either problems of technology or someone else’s responsibility. Seems when we’re at work, many of us don’t stop and think about our own actions and taking responsibility for the data.

Now I’ll have a post coming up about how I think we need to focus on helping people regain responsibility – and while the steps are easy to write about, it takes some time and true commitment to make that change. I’ll do what I can to guide you on that journey and share the insights I continue to gain.

But there is a second part that alarms me when it comes to the continuing spat of breaches – we, the people, allow it! As the people affected (or potentially affected), we abdicate our responsibility to hold those responsible (whether they accept their responsibility or not) accountable. The companies are able to announce “they don’t think anything will happen” and then we all *shrug* and move along. But I think it goes even deeper — I think we are in a situation where no one steps up and takes responsibility.

Why is that? Well, I think that some of this goes well beyond security. But as a professional that coaches, consults and speaks, I’m always noticing the trends – and in the last year, we have been so bombarded with all of this, for many the easiest path is to step aside and throw our (collective) hands up in the air.
I don’t think we need to throw our hands in the air and I certainly don’t believe the sky is falling. I think the challenge for those of us bothered by this is to make it real for people — in a way that doesn’t contribute to fear, uncertainty and doubt (FUD). In other words, we have to become more capable at explaining why this is a problem so that two important things happen:

1. People take ownership of their data/systems and reduce these sorts of incidents; and

2. When it happens, the people and companies responsible are held accountable.

I suspect this is going to take some time, but when it does, it should start to make a change. But that’s the catch – we are not able to buy some magical technology or wave our magic wand and solve this problem. We have to focus on the practice of security and educating people – at the right time and in the right way – on how to take action.

Maybe the reason we don’t take responsibility is that we no longer feel empowered or lack the tools to truly be responsible. And without the right knowledge (perhaps even vocabulary), I think it’s ever more challenging to hold people accountable for their actions. So we have a challenge in front of us to empower organizations to take the right actions and truly educate people.

It’s becoming ever more clear to me that this is a problem of people more than a problem of technology. What do you think?

Share ideas and comments with me at se**************@gm***.com.

Michael J. Santarcangelo, II, CISSP (Lead Instructor) is an expert who coaches, consults and speaks on security, privacy and compliance issues. Learn more at

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.