3 Security Myths That Will No Longer Fly in 2016

By Eric Noonan • February 22, 2016

With 2016 underway, and CIO’s taking a more critical eye at cybersecurity costs, and boards having a better-informed definition of information risk, security organizations will be forced to evolve from past practices that were once seen as appropriate.  With today’s advanced threats weighed against business priorities, CISO’s may need to abandon some assumptions and methodologies that are no longer acceptable.

3 Security Myths that Will No Longer Fly in 2016

1: A Products vendor can drive the organization’s entire security strategy

Security product salespeople will tell you that simply buying their expensive software will “address all your PCI compliance needs” or “cover 14 of the 20 critical security controls.”  But the truth is that these tools neither solely ensure compliance nor fully meet the security needs of the business.   Information security is about people and processes. Spending an entire year’s security budget on security software will leave an organization without the appropriate amount of staff to run the tools, and lacking in the maturity that only documented procedures can provide.

2: Vendor Security isn’t necessary (or isn’t the responsibility of the CISO)

For years the capability for a security organization to identify and assess the risk associated with third parties have been put on the back burner or left to other parts of the company. The efforts expended to protect data on internal networks are shockingly unequal to that being used to protect data of the same criticality handed without any consideration to vendors.  With the criticality of data entrusted to cloud providers and application hosts and the large percentage of high profile data breaches coming from vendor relationships in 2016, vendor security management needs to be #1 on the list of gaps to close for a CISO.

3: You won’t have any security staff turnover

It’s estimated that there will be one million unfilled cyber security jobs in 2016. Organizations invest a lot to develop security professionals internally, and the projects and initiatives of the company can often be built on the skills of these employees.  However, even employees who are highly engaged and seemingly well-compensated will experience salary and opportunity temptations this year that will pull a good percentage of the workforce away into new jobs.  Without properly documented processes, a security organization can expect to lose a significant amount of knowledge when key employees leave for new challenges.

So What’s the Answer?

The common thread in each of these soon-to-be abandoned myths is that organizations need documented processes to address cyber risk.  Set out on a plan this year to document and put in place the most critical and common security procedures that your security organization can use to enable the business and reduce threats.  Having well-documented processes will lessen your dependence on tools, address third-party risks, and reduce the impact of staff turnover.  By discarding these out-of-date myths, you aren’t really losing anything, but rather gaining capabilities that move you towards a more sustainable and mature security organization.

Did You Like This Post?

Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO