March 23, 2018 By Kevin Beaver 3 min read

Today’s security threats are real, and the business risks are tangible. Yet, many organizations manage their security program in a way that does little to address these challenges over the long term. The last thing you need is to take the wrong approach to security, spend money you don’t need to spend and end up woefully unprepared for network events when they occur.

By and large, many people manage IT with a false sense of security — a heightened sense of self. They appear to be getting stuff done: They’re spending money, going through the motions and things are happening. Management sees this and assumes that all is well, but it’s really not.

Common Fallacies That May Be Holding Back Your Security Program

Looking from a higher level at what’s taking place in the average enterprise, security is all over the map. Some people swear by their security awareness and training initiatives, yet their users’ behavior remains wildly unpredictable. Many such efforts appear to be beneficial, but when they fail to measure users’ progress, they squander opportunities for improvement.

Ditto for paperwork: Even the best security policies and procedures are useless if the organization’s practices don’t reflect them. After all, policies on their own cannot prevent a data breach. In fact, I’ve yet to see a policy that by itself positively contributes to effective security. Instead of policies with little substance, security professionals need technologies that can enforce those policies in transparent and automated ways.

Still, the same can be said for technology. I would estimate that roughly half of the security products and services I come across are woefully under implemented — some to the extent that you can’t help but wonder why the money was even spent in the first place. Some IT and security professionals believe they have completely locked down their network but are almost always gaps. Some organizations focus too much on compliance and too little on security, while others are too trusting of their vendors.

Establishing Organization-Wide Security Goals

This lack of direction stems from people in the business not having a set of common goals to work toward. I’ve met executives who couldn’t articulate what they were trying to accomplish — they just knew that security was a priority to someone. Rather than understanding their requirements and working on plans to protect what was important, they were busy putting out fires on a day-to-day basis.

Some executives fall into this trap because they lack goals, while others simply lack sufficient resources. Regardless of the reason, if you’re not putting forth the necessary effort and implementing adequate security controls, you can’t reasonably protect your network and information assets, much less know whether or not your security strategy is working.

As economist Thomas Sowell once said, “It takes considerable knowledge just to realize the extent of your own ignorance.” The mark of a true security professional is someone who realizes that he or she doesn’t know everything and can’t possibly secure his or her network against all the threats that are out there. Once you acknowledge this, you’re well on your way to achieving a reasonable state of security.

You might have everything you need to properly secure your network, know your risks and understand how to uncover them quickly. You might even have management’s support — and all the technical controls under the sun. Even with all this at your disposal, the most critical step is to obtain and maintain the necessary level of discipline to achieve your security goals, as well as the cultural and political support to see it through.

Fine-Tuning the Basics

Many people want to keep talking about what’s new and what’s next with security. The reality is that we don’t need anything else — we just need to understand and implement the basics and fine-tune them over time. It’s true that one bad decision is all it takes to expose your organization to a cyberattack. Likewise, one good decision is all it takes to get your organization on track with reasonable (if not perfect) security initiatives.

Many of the mistakes and oversights in your security program are minor by themselves. When you add them up, however, they represent formidable challenges. Get on track and do the things that you know will enhance security and minimize risks.

This involves three core steps:

  1. Know your network.
  2. Understand how your important data is at risk.
  3. Do what it takes to eliminate, minimize or otherwise compensate for your risks.

I’ve yet to see an organization that is proficient in all three of these areas.

It’s easy to overlook some big security gaps when you are exposed to your own environment day after day. Don’t hesitate to bring in an unbiased third party that can give your system a fresh look. That’s one of the best ways to uncover your blind spots. If you don’t, threat actors are sure to smell blood and eventually take advantage of your security weaknesses.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today