Working as security resident consultants providing full-time security expertise for large national companies, my colleagues and I have discovered certain security myths continue to persist, sort of like a cybersecurity version of Santa Claus.
Believing in Santa does not do any harm; believing misconceptions about the security of your organization, however, does. Below, I set out some of the most common cybersecurity myths our experts run into, and what the real facts are. Some of these truths may be hard to swallow, and require significant cultural shifts. In an organization that has done business a certain way for generations, it isn’t easy to “click and drag” the IT and information security teams to new ways of thinking. However, if companies want to protect their data, they must be ready to change.
Myth #1: It’s a Good Idea to Mix Your IT and IT Security Teams
Some companies mix their information security team in with the IT team and think the two can co-exist, working toward the same goal. The problem is that IT’s main goal is to deliver services to the company while the security team’s job is to mitigate risks. The services IT provides introduce risks and vulnerabilities to the company. The cybersecurity team’s job is to mitigate all of those risks and vulnerabilities. If companies put both the IT team and the information security team under one budget, problems are sure to follow. The IT team is going to want to spend that money on providing the best services possible to meet the company’s needs. The security team often is then left with insufficient funds to protect the company’s data.
Information security teams should be under a risk management organization or under direct oversight from the CEO or the board of directors. The IT organization can be territorial at some companies and may not want the information security team to separate itself. Often, teams don’t want to lose assets even when it makes sense to move one team to another place in the company. The IT team should still maintain security controls. However, the security and risk management teams should decide what policies to apply to security controls. Furthermore, the security and risk management teams should use the data from the security controls to assess the threats and risks to the company.
Myth #2: It’s OK to Shrug off Security Policy Violations That Don’t Result in a Compromise
Companies often neglect to hold employees accountable for violating security policies. All employees should enforce company policies and be held accountable for violations – including the security and risk management policies. I am not encouraging people to tattle on their fellow workers. Often, all it takes to correct risky behaviors is teammates’ willingness to educate their buddies about security policies. Even small security violations can have significant effects on the confidentiality, integrity, and availability of an organization’s information. It takes just a moment for someone to access an unsecured workstation after an employee walks away from it. Most companies have a policy that requires users to secure all devices, but almost everywhere SecureWorks Resident Consultants go, they see a failure to enforce those policies. Additionally, companies usually include language in their Acceptable Use Policies that forbid unauthorized applications. We routinely see companies’ employees downloading to their corporate workstations games and other unauthorized applications, introducing further risks to the environment.
Small mistakes can have big consequences. Building a culture of security requires that leadership enforce all information security policies. First-time offenders usually only need to be educated on the risks of their careless behavior. The security team should take note of the productivity lost due to a user’s security violations and should report repeat offenders to the CISO, the HR director, or to someone at the company who will use that information to help change the culture and enforce policies. Enforcing even small security violations builds a culture of security awareness across your workforce.
Myth #3: Tools and Technology Should be the Main Focus of Security Strategy
Many companies prioritize tools and technology over people and processes. Having the latest and greatest devices and technology tools can be great, but without the proper people and processes in place, information security teams often suffer from “alert overload.” In addition, companies usually have many tools that don’t communicate with one another, and often have redundant tools, yet too few employees who can effectively operate the tools.
Prioritizing tools and technology over people and process results in tools and people that do not work well together.
People can form a human firewall around your network. For that reason, security awareness training is critical, as is establishing smart processes around policy enforcement. As for the tools, use APIs to make the tools talk to each other. Examine the impacts of current and new tools on people and processes. Follow frameworks like the NIST Cybersecurity Framework and the Center for Internet Security’s Critical Security Controls to help prioritize and cover all threat vectors.
Unfortunately, these are not the only myths that persist in cybersecurity. In our next installment, we will get into some more of the misconceptions that continue to circulate in companies around the world – and what you can do to make sure they do not take root.