A couple of days ago I read the CSO article Six myths CEOs believe about security that I’d like to make some personal comments on.
1. Attackers can’t be stopped
The author, Roger A. Grimes, mentions that one of the myths is the one that there’s no efficient way of stopping attackers. Personally, I believe that this isn’t a myth when zooming out a bit. At least it isn’t possible to stop all attackers, there will always be the ones who got lucky. The ones that are heavily funded (state founded for example) must not be forgotten. The author also mentions as comparison that there wouldn’t be any general under attack that would say to the troops that there’s nothing to do to stop the attackers and that’s the exact and most important point. You must be sober enough to know the hard truth that all cyber attackers can’t be stopped, but as a leader you wouldn’t tell too many, right?
2. Hackers are brilliant
It that really a myth? I can agree on that Hollywood has had a tendency of glorifying and give hackers super powers. However, I must say that I don’t really recognize that there’s a myth saying that hackers in the real world are geniuses. Maybe I don’t meet enough CEOs then?
3. IT security knows what needs to be fixed
As much as I agree on the point that this is one of the most important myths to dispel I also would like to argue that this is about to change. Well, at least when it comes to mid- and large-sized enterprises. As many organizations already have some kind of Information Security process-oriented way of looking at security, I think that GDPR will take care of a lot too.
4. Security compliance equals better security
Really? Is there a well-known myth that security compliance by itself equals better security? Of course compliance is one of the pillars on which good security must rely on. But I’m pretty sure that no one really believes that compliance by itself equals better or high security. Please don’t make CEOs hesitate on that compliance is key and must be met forward on as one part of a healthy security standard.
5. Patching is under control
Yeah, I agree on that one 100%. In a healthy operations the underlying infrastructure and operating systems are probably up to speed (perhaps 95% anyway) but again, when zooming out this means that at most 40-50% of the IT environment are fully patched and up to date. Why? Well, there are usually a shitload of applications where in best cases half of them are properly maintained by the supplier/developers and patched accordingly. Does the CEO really believe everything is patched and under control? Yes, I tend to also believe he or she does.
6. Employee security training is adequate
It this one is true (if this is a well known myth) that’s a sad grade for all CSOs and CISOs. If that’s the case, I guess we also do believe (and further tell our CEOs) so. I would argue that the training is something more or less impossible to keep on an adequate level. There’s always needs for ongoing employee training. Personally, I like to train employees at least twice each year in awareness and various more specific topics. And that’s most probably not enough…