March 23, 2018 By Kevin Beaver 3 min read

Today’s security threats are real, and the business risks are tangible. Yet, many organizations manage their security program in a way that does little to address these challenges over the long term. The last thing you need is to take the wrong approach to security, spend money you don’t need to spend and end up woefully unprepared for network events when they occur.

By and large, many people manage IT with a false sense of security — a heightened sense of self. They appear to be getting stuff done: They’re spending money, going through the motions and things are happening. Management sees this and assumes that all is well, but it’s really not.

Common Fallacies That May Be Holding Back Your Security Program

Looking from a higher level at what’s taking place in the average enterprise, security is all over the map. Some people swear by their security awareness and training initiatives, yet their users’ behavior remains wildly unpredictable. Many such efforts appear to be beneficial, but when they fail to measure users’ progress, they squander opportunities for improvement.

Ditto for paperwork: Even the best security policies and procedures are useless if the organization’s practices don’t reflect them. After all, policies on their own cannot prevent a data breach. In fact, I’ve yet to see a policy that by itself positively contributes to effective security. Instead of policies with little substance, security professionals need technologies that can enforce those policies in transparent and automated ways.

Still, the same can be said for technology. I would estimate that roughly half of the security products and services I come across are woefully under implemented — some to the extent that you can’t help but wonder why the money was even spent in the first place. Some IT and security professionals believe they have completely locked down their network but are almost always gaps. Some organizations focus too much on compliance and too little on security, while others are too trusting of their vendors.

Establishing Organization-Wide Security Goals

This lack of direction stems from people in the business not having a set of common goals to work toward. I’ve met executives who couldn’t articulate what they were trying to accomplish — they just knew that security was a priority to someone. Rather than understanding their requirements and working on plans to protect what was important, they were busy putting out fires on a day-to-day basis.

Some executives fall into this trap because they lack goals, while others simply lack sufficient resources. Regardless of the reason, if you’re not putting forth the necessary effort and implementing adequate security controls, you can’t reasonably protect your network and information assets, much less know whether or not your security strategy is working.

As economist Thomas Sowell once said, “It takes considerable knowledge just to realize the extent of your own ignorance.” The mark of a true security professional is someone who realizes that he or she doesn’t know everything and can’t possibly secure his or her network against all the threats that are out there. Once you acknowledge this, you’re well on your way to achieving a reasonable state of security.

You might have everything you need to properly secure your network, know your risks and understand how to uncover them quickly. You might even have management’s support — and all the technical controls under the sun. Even with all this at your disposal, the most critical step is to obtain and maintain the necessary level of discipline to achieve your security goals, as well as the cultural and political support to see it through.

Fine-Tuning the Basics

Many people want to keep talking about what’s new and what’s next with security. The reality is that we don’t need anything else — we just need to understand and implement the basics and fine-tune them over time. It’s true that one bad decision is all it takes to expose your organization to a cyberattack. Likewise, one good decision is all it takes to get your organization on track with reasonable (if not perfect) security initiatives.

Many of the mistakes and oversights in your security program are minor by themselves. When you add them up, however, they represent formidable challenges. Get on track and do the things that you know will enhance security and minimize risks.

This involves three core steps:

  1. Know your network.
  2. Understand how your important data is at risk.
  3. Do what it takes to eliminate, minimize or otherwise compensate for your risks.

I’ve yet to see an organization that is proficient in all three of these areas.

It’s easy to overlook some big security gaps when you are exposed to your own environment day after day. Don’t hesitate to bring in an unbiased third party that can give your system a fresh look. That’s one of the best ways to uncover your blind spots. If you don’t, threat actors are sure to smell blood and eventually take advantage of your security weaknesses.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today