Skip to content Skip to sidebar Skip to footer



Playing the blame game is often the first port of call whenever a security breach occurs. From the outside, it’s business leaders who tend to take the most public scrutiny for cybersecurity incidents, with press and customers alike asking how they allowed this to happen. From there, business leaders turn their attention internally to their IT and security teams and ask the same questions. When a breach occurs, it’s ultimately due to existing security vulnerabilities that should have been identified and addressed earlier, so it’s natural that the blame tends to fall on teams whose main responsibility it is to find these vulnerabilities.

But in recent years, debate has started to shift, with some beginning to question the level of liability that software vendors should hold when a vulnerability in their product is exploited. The idea that more onus should be placed on software providers to put security first has been around for a while, with the House of Lords even recommending holding software vendors accountable back in 2007. But with high-profile breaches now seeming to happen on a weekly basis, such as the Log4j exploits or the CitrixBleed attacks, questions are being asked. It’s often claimed that an emphasis on blaming individual user errors and company decisions for breaches has permitted a culture of persistent security flaws, allowing spiraling security debt (which refers to any vulnerability left unfixed for more than a year) to take hold.

error: Content is protected !!