Today’s security threats are real, and the business risks are tangible. Yet, many organizations manage their security program in a way that does little to address these challenges over the long term. The last thing you need is to take the wrong approach to security, spend money you don’t need to spend and end up woefully unprepared for network events when they occur.

By and large, many people manage IT with a false sense of security — a heightened sense of self. They appear to be getting stuff done: They’re spending money, going through the motions and things are happening. Management sees this and assumes that all is well, but it’s really not.

Common Fallacies That May Be Holding Back Your Security Program

Looking from a higher level at what’s taking place in the average enterprise, security is all over the map. Some people swear by their security awareness and training initiatives, yet their users’ behavior remains wildly unpredictable. Many such efforts appear to be beneficial, but when they fail to measure users’ progress, they squander opportunities for improvement.

Ditto for paperwork: Even the best security policies and procedures are useless if the organization’s practices don’t reflect them. After all, policies on their own cannot prevent a data breach. In fact, I’ve yet to see a policy that by itself positively contributes to effective security. Instead of policies with little substance, security professionals need technologies that can enforce those policies in transparent and automated ways.

Still, the same can be said for technology. I would estimate that roughly half of the security products and services I come across are woefully under implemented — some to the extent that you can’t help but wonder why the money was even spent in the first place. Some IT and security professionals believe they have completely locked down their network but are almost always gaps. Some organizations focus too much on compliance and too little on security, while others are too trusting of their vendors.

Establishing Organization-Wide Security Goals

This lack of direction stems from people in the business not having a set of common goals to work toward. I’ve met executives who couldn’t articulate what they were trying to accomplish — they just knew that security was a priority to someone. Rather than understanding their requirements and working on plans to protect what was important, they were busy putting out fires on a day-to-day basis.

Some executives fall into this trap because they lack goals, while others simply lack sufficient resources. Regardless of the reason, if you’re not putting forth the necessary effort and implementing adequate security controls, you can’t reasonably protect your network and information assets, much less know whether or not your security strategy is working.

As economist Thomas Sowell once said, “It takes considerable knowledge just to realize the extent of your own ignorance.” The mark of a true security professional is someone who realizes that he or she doesn’t know everything and can’t possibly secure his or her network against all the threats that are out there. Once you acknowledge this, you’re well on your way to achieving a reasonable state of security.

You might have everything you need to properly secure your network, know your risks and understand how to uncover them quickly. You might even have management’s support — and all the technical controls under the sun. Even with all this at your disposal, the most critical step is to obtain and maintain the necessary level of discipline to achieve your security goals, as well as the cultural and political support to see it through.

Fine-Tuning the Basics

Many people want to keep talking about what’s new and what’s next with security. The reality is that we don’t need anything else — we just need to understand and implement the basics and fine-tune them over time. It’s true that one bad decision is all it takes to expose your organization to a cyberattack. Likewise, one good decision is all it takes to get your organization on track with reasonable (if not perfect) security initiatives.

Many of the mistakes and oversights in your security program are minor by themselves. When you add them up, however, they represent formidable challenges. Get on track and do the things that you know will enhance security and minimize risks.

This involves three core steps:

  1. Know your network.
  2. Understand how your important data is at risk.
  3. Do what it takes to eliminate, minimize or otherwise compensate for your risks.

I’ve yet to see an organization that is proficient in all three of these areas.

It’s easy to overlook some big security gaps when you are exposed to your own environment day after day. Don’t hesitate to bring in an unbiased third party that can give your system a fresh look. That’s one of the best ways to uncover your blind spots. If you don’t, threat actors are sure to smell blood and eventually take advantage of your security weaknesses.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…