When it comes to information security, there are a lot of “misperceptions” and “exaggerations” about both the threats facing businesses and the technologies that might be used to protect their important data assets, according to Gartner analyst Jay Heiser.
[MORE GARTNER: 7 major trends forcing IT security pros to change]
These false assumptions all add up to “security myths” that have gained wide credence among security pros, the employees they’re trying to protect from data loss and the business managers apt to blame chief information security officers (CISO) for breaches and other mishaps. Heiser, in his presentation on this topic at the Gartner Security & Risk Management Summit held in National Harbor, Md., held forth on his “Top 10 Security Myths”:
Myth #1: “It won’t happen to me”
Cause: Inured by hype over risk, and letting employees do whatever they want to avoid expense and responsibilities.
Cure: Face the business responsibility to confront security-related requests; making use of a security classification framework helps
Myth #2: “Infosec budgets are 10% of IT spend.”
Cause: Wishful thinking---Gartner research shows the budget number is more like 5%.
Cure: get some real data
Myth #3: “Security risks can be quantified”
Cause: Illusion that you can have your security budget if you try to justify it in an Excel spreadsheet, a common misperception in a “numbers-oriented culture” in which it’s thought “he who has the biggest numbers wins.”
Cure: Develop non-numeric expressions of risk, and seek to ensure the business unit takes ownership of its IT-related risks.
Myth #4: “We have physical security (or SSL) so you know your data is safe”
Cause: Wishful thinking and poor understanding of risk
Cure: Ensure security purchases match data requirements
Myth #5: “Password expiration and complexity reduces risk”
Cause: Inertia. Heiser adds: “We know passwords are deeply flawed, but cracking is just not the major failure mode. Passwords are not cracked, they’re sniffed.”
Cure: Might not be one
Myth #6: “Moving the CISO outside of IT will automatically ensure good security”
Cause: Passing the buck. Heiser adds: “It’s the old ‘let’s solve a cultural problem by re-organizing something’ trick.”
Cure: Analyze the root cause of weaknesses in a security program
Myth #7: “Adhering to security practices is the CISO’s problem”
Cause: Passing the buck. Lines of business wants security risk to be someone else’s problem, with the CISO shouldering all the risk, even though they don’t feel the CISO should be able to tell them what to do.
Cure: Build an information security program around the culture
Myth 8: “Buy this tool <insert tool here> and it will solve all your problems”
Cause: External search for magic solutions to difficult problems; wishful thinking
Cure: Methodical risk analysis and prioritization, multi-year security plan
Myth #9: “Let’s get the policy in place and we are good to go”
Cause: Wishful thinking
Cure: Establish management responsibility and pick your battles carefully
Myth #10: “Encryption is the best way to keep your sensitive files safe”
Cause: When encryption works, it works brilliantly. But it can cause more harm than good when there are naïve expectations about a difficult technology; sometimes it’s a “search for the Holy Grail” or “magic bullets” to shoot down regulatory concerns
Cure: Ensure you have solid experience in cryptography before making decisions
As a final cap, Heiser pointed out that many of these myths arise because of factors that are simply the human propensity to over-react in unfamiliar situations or the common organizational bent to pass the blame to someone else. “Buck passing characterizes bureaucratic risk management,” Heiser noted. He said that “there’s no reason the CISO should just sit there and accept all those hot potatoes,” especially when employees are loading up on consumer computing technologies.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org