Skip Links

Gartner reveals Top 10 IT Security Myths

Gartner analyst says "misperceptions" can wreck best-laid IT security plans

By , Network World
June 11, 2013 04:45 PM ET

Network World - When it comes to information security, there are a lot of “misperceptions” and “exaggerations” about both the threats facing businesses and the technologies that might be used to protect their important data assets, according to Gartner analyst Jay Heiser.

[MORE GARTNER: 7 major trends forcing IT security pros to change]

These false assumptions all add up to “security myths” that have gained wide credence among security pros, the employees they’re trying to protect from data loss and the business managers apt to blame chief information security officers (CISO)  for breaches and other mishaps. Heiser, in his presentation on this topic at the Gartner Security & Risk Management Summit held in National Harbor, Md., held forth on his “Top 10 Security Myths”:

Myth #1: “It won’t happen to me”

Cause: Inured by hype over risk, and letting employees do whatever they want to avoid expense and responsibilities.

Cure: Face the business responsibility to confront security-related requests; making use of a security classification framework helps

Myth #2: “Infosec budgets are 10% of IT spend.”

Cause: Wishful thinking---Gartner research shows the budget number is more like 5%.

Cure: get some real data

Myth #3: “Security risks can be quantified”

Cause: Illusion that you can have your security budget if you try to justify it in an Excel spreadsheet, a common misperception in a “numbers-oriented culture” in which it’s thought “he who has the biggest numbers wins.”

Cure: Develop non-numeric expressions of risk, and seek to ensure the business unit takes ownership of its IT-related risks.

Myth #4:  “We have physical security (or SSL) so you know your data is safe”

Cause: Wishful thinking and poor understanding of risk

Cure: Ensure security purchases match data requirements

Myth #5: “Password expiration and complexity reduces risk”

Cause: Inertia. Heiser adds: “We know passwords are deeply flawed, but cracking is just not the major failure mode. Passwords are not cracked, they’re sniffed.”

Cure: Might not be one

Myth #6: “Moving the CISO outside of IT will automatically ensure good security”

Cause: Passing the buck. Heiser adds: “It’s the old ‘let’s solve a cultural problem by re-organizing something’ trick.”

Cure: Analyze the root cause of weaknesses in a security program

Myth #7: “Adhering to security practices is the CISO’s problem”

Cause: Passing the buck. Lines of business wants security risk to be someone else’s problem, with the CISO shouldering all the risk, even though they don’t feel the CISO should be able to tell them what to do.

Cure: Build an information security program around the culture

Myth 8: “Buy this tool <insert tool here> and it will solve all your problems”

Cause: External search for magic solutions to difficult problems; wishful thinking

Cure: Methodical risk analysis and prioritization, multi-year security plan

Myth #9: “Let’s get the policy in place and we are good to go”

Cause: Wishful thinking

Cure: Establish management responsibility and pick your battles carefully

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News