3 Security Myths That Will No Longer Fly in 2016

By Eric Noonan • February 22, 2016

With 2016 underway, and CIO’s taking a more critical eye at cybersecurity costs, and boards having a better-informed definition of information risk, security organizations will be forced to evolve from past practices that were once seen as appropriate.  With today’s advanced threats weighed against business priorities, CISO’s may need to abandon some assumptions and methodologies that are no longer acceptable.

3 Security Myths that Will No Longer Fly in 2016

1: A Products vendor can drive the organization’s entire security strategy

Security product salespeople will tell you that simply buying their expensive software will “address all your PCI compliance needs” or “cover 14 of the 20 critical security controls.”  But the truth is that these tools neither solely ensure compliance nor fully meet the security needs of the business.   Information security is about people and processes. Spending an entire year’s security budget on security software will leave an organization without the appropriate amount of staff to run the tools, and lacking in the maturity that only documented procedures can provide.

2: Vendor Security isn’t necessary (or isn’t the responsibility of the CISO)

For years the capability for a security organization to identify and assess the risk associated with third parties have been put on the back burner or left to other parts of the company. The efforts expended to protect data on internal networks are shockingly unequal to that being used to protect data of the same criticality handed without any consideration to vendors.  With the criticality of data entrusted to cloud providers and application hosts and the large percentage of high profile data breaches coming from vendor relationships in 2016, vendor security management needs to be #1 on the list of gaps to close for a CISO.

3: You won’t have any security staff turnover

It’s estimated that there will be one million unfilled cyber security jobs in 2016. Organizations invest a lot to develop security professionals internally, and the projects and initiatives of the company can often be built on the skills of these employees.  However, even employees who are highly engaged and seemingly well-compensated will experience salary and opportunity temptations this year that will pull a good percentage of the workforce away into new jobs.  Without properly documented processes, a security organization can expect to lose a significant amount of knowledge when key employees leave for new challenges.

So What’s the Answer?

The common thread in each of these soon-to-be abandoned myths is that organizations need documented processes to address cyber risk.  Set out on a plan this year to document and put in place the most critical and common security procedures that your security organization can use to enable the business and reduce threats.  Having well-documented processes will lessen your dependence on tools, address third-party risks, and reduce the impact of staff turnover.  By discarding these out-of-date myths, you aren’t really losing anything, but rather gaining capabilities that move you towards a more sustainable and mature security organization.

Did You Like This Post?

Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft