Cyber victim blaming is a thing. Not just for scapegoating CISOs, but rank-and-file employees as well.

Resist the impulse. It only takes one peek ahead on the chessboard to see that’s a bad move.

If you fire people who tell you they accidentally clicked on a phishing link, then people will stop telling you things you want to know. Front-line employees are your eyes and ears, human threat intel who often know when something feels wrong—or is wrong.

That doesn’t mean you should completely absolve people for being reckless or stupid, either. But you’ve got to think about the incentives you’re creating, and take a nuanced approach.

There's a saying in Colombia: No dar papaya.

I learned a lot about security living in Colombia. The risk of a targeted or (more likely) non-targeted attack by street crime at that time was always non-trivial.

This doesn’t translate literally (“don't give papaya”), but instead means: Don’t do stupid things that put you in a vulnerable position where others can hurt you.

We should not blame victims of crime (this includes victims of cybercrime) but no dar payapa offers a more nuanced point of view.

If you walk down a dark alley in a bad part of town at 3am with gold and diamonds and bling bling and money squirting out your back pocket, don’t be shocked if someone takes them off you.

On the one hand, you are a victim of crime and the guilty party is the criminal.

On the other hand, you put yourself in a vulnerable position when you really should have known better.

We can have a long digression about how the world should be but security must engage with reality as it actually is.

You are never to blame as the victim of a crime, but you can do a lot to avoid being the victim of a crime in the first place.

This strongly informs my thinking as the CISO of a highly-targeted company. Sure, if organized crime or North Korea hacks my employer, well they are guilty of crime (or in the case of North Korea, warfare).

But there is a lot I can do to reduce the risk of that happening. Simply by not doing stupid things, and focusing on getting the blocking and tackling right, I am refusing to give papaya.

Look, if someone robs you at 3am because you gave papaya, it is not your fault but you were reckless.

If, on the other hand, you are traveling in an armored car, and a group of commandos abducts your vehicle and uses James Bond gear to steal your diamonds, then you reach a level of due diligence where there’s nothing more you could have done.

That’s where I want to be. “I performed my due diligence, what’s more I did everything I could possibly think of, and we executed to peak performance based on current budget and staffing levels.”

Then even if something bad were to happen, I can still sleep at night knowing I’ve done my job to the very best of my ability.

You can extend this thinking to rank-and-file employees. Asking company members to not give papaya is a reasonable point of view.

“Cyber street smarts” are something everyone can learn, just as handwashing is something anyone can learn. You don’t have to be a microbiologist or a brain surgeon to appreciate the value of handwashing for personal hygiene, and you don’t need a PhD in cryptography to use a password manager and two-factor authenticaton and to be wary of phishing email.

No dar papaya translates badly into English, and the best I can do is “don't be reckless”. That means cultivating those “cyber street smarts.” In the world of corporate cybersecurity, that's a threshold seldom met, but one worthy of establishing as a minimum baseline of due diligence.