Punitive Cybersecurity Models Incentivize People to Hide Mistakes – Do This Instead

Resilient information systems depend on humans working together – that’s why empowering staff to own up to errors is crucial to mitigating breaches   

By Corinium Global Intelligence  

In the battle against cyber threats, many organizations focus on technological defenses while overlooking the human element. This is despite the fact people are both the most critical vulnerability and the strongest asset that CISOs have.   

Building a resilient security culture hinges on fostering a company-wide ethos of transparency and trust. And this, says Steve Cobb, CISO at security ratings firm SecurityScorecard, means moving away from punitive models that can drive mistakes underground,  

“We encourage the culture within SecurityScorecard that if you see something, say something. If you clicked on something by mistake, let us know,” Cobb says. “We're not going to berate you over it. We want to try to protect the organization.”  

Cobb says that the longer an employee feels ashamed or afraid of reporting a potential incident, the more time it takes for the security team to respond and contain a threat.   

Countering this stigma and creating an environment where people feel able to discuss their mistakes, he says, is essential for any organization – but is particularly critical for a high-profile security company like SecurityScorecard, which is a frequent target for sophisticated phishing and social engineering attacks.  

Every employee there is on the front lines, Cobb says. His goal is to instill a “security-first mindset” from an employee’s first day, explaining the serious responsibility each person holds while simultaneously assuring them that the security team is a resource.  

“I've been in many environments where it's been more punitive and people are scared to tell you that they did something wrong,” Cobb says. “Every aspect of that is counterproductive to what our mission is.”  

Vendor quizzes ‘are outdated’  

This cultural approach extends beyond internal operations to the increasingly critical domain of third-party risk. Cobb says the traditional method of assessing vendors solely with lengthy questionnaires is outdated. Instead, it’s essential to build human-to-human relationships.  

“You really can't determine risk information until you trust that vendor and build a relationship with them,” he says. “You have to be on a first-name basis with your critical vendors and suppliers, and it can't be a contentious relationship.”  

He describes the traditional company-vendor dynamic as adversarial, where companies have traditionally demanded better security from their vendors. A more effective model, he suggests, is a partnership where both parties commit to mutual improvement. This is especially vital as the attack surface expands to include fourth-party risk – the security posture of a vendor’s own vendors.  

“Third-party risk is the only place in the cybersecurity industry where you outsource your risk to another company and you say to them... tell me what's going on in your environment,” Cobb says. “We don't do that in any other area of cybersecurity.”  

He advocates for a model where companies use continuous monitoring and their own processes to proactively insulate themselves from a vendor’s potential incident, rather than waiting for a breached partner to provide information and guidance.  

Artificial intelligence has a role here, he adds, pointing to the lengthy process of vetting vendors by reviewing massive contracts, security reports, and compliance documentation as a prime area where emerging tools can ease the load.   

“I see AI being a huge help there,” Cobb says. “What's the goal overall? It's to reduce the risk that our vendors introduce... AI can help us get to that outcome. Whereas before it's taken months, we can get to it in a real-time interaction.”  

Similarly, he sees promise in using AI to sift through threat intelligence data and to help generate actionable response plans for both first and third-party incidents. Such use cases will not be replacements for human roles, he says, but will cut out tedious tasks and accelerate analysis.  

‘Help your talent to grow – even if it means they leave’  

Cobb acknowledges the high levels of stress the security field can bring to employees. He highlights the importance of hiring people who have passion and alignment with the company’s mission – and who are motivated by more than compensation.  

“Cybersecurity has a lot of responsibility. You're never really off,” Cobb says. “If you're not passionate about cybersecurity and trying to help people stay safe, is this going to be the job for you?”  

Leaders should therefore be invested in employees' long-term career success, he adds, even if that success eventually leads them to another organization. Building a deep bench of talent and constantly networking, he says, is crucial to managing the inevitable turnover in a competitive field.  

Reflecting on his career, Cobb says the advice he would give his younger self is to build a professional network faster. “Often in the CISO role, you can get a little isolated,” he says. “I like to have really smart people around me. And I know when I do that, I always have the ability to ask questions to folks who've been through things and come out successful on the other end.”  

Join top cybersecurity executives at CISO Financial Services New York on February 26, 2026. Reserve your place here.