Top Four Security Myths

The Cybersecurity Mindset

Myth 1: Everyone is accountable for cybersecurity.         
We often hear things like "Everyone is accountable for security." This is false. While everyone is responsible for cybersecurity, only a select few are ultimately accountable. The truth is that senior management alone is ultimately accountable for the security of the organization. Employees are responsible to follow policies, standards, procedures, and guidelines as set out by senior management. But any final accountability will fall to the senior management.

Myth 2: There is never enough security.
Something you often hear is that you can never have enough security. Yes, you can. You can have enough security, and you can even have too much security.

Let's take an example from home security. Most of us would agree that installing a retina scanner in order to access your front door would be too much security. Why's that? Security will always cost you something; and this is not limited to the financial costs involved purchasing, installing, and maintaining the retina scanner. More than that, we have to take into account organizational costs such as time, performance, backwards compatibility, user acceptance, and so on. In the case of a retina scanner, these costs are simply too high to justify its use for home protection.

So, the correct answer to how much security is enough is, simply, just enough. Identify your assets, assess their value, determine their current risk, and then implement controls to bring those risks down to acceptable levels. No more, and no less.

Myth 3: First we build, then we secure.
Security should be baked in, not sprayed on. Unfortunately, the latter is by far the norm. If you've ever attended a programming bootcamp, you know that the amount of time these programs devote to security hovers around zero. This is because the current business climate prioritizes performance (does it work?) over security (is it safe?).

The reason we're so dependent on firewalls, intrusion detection systems, monitoring systems, and the like is because we write inherently insecure code. If, on the other hand, we would design our applications to be secure, we could substitute (a) "does it work?" and (b) "is it secure?", for (c) "does it work securely?". This is an entirely different mindset that involves security throughout all the stages of software and systems development. This is what we refer to as security-by-design. Starting from the early stage feasibility analysis all the way to the retirement or disposal of the product. Security has to be considered along every step of the way.

Myth 4: We need a single security solution.
No one device is ever going to protect you. If we return to the example of home security, it's understood that a simple lock at the front door, while it may be a critical component of home security, is insufficient. Most of us would consider adding an alarm system, but even that is a reactive measure that only sounds once a break-in has already occurred. However, once we add a barking dog in our yard, a security camera at our door, and motion-sensing lights, we're beginning to understand the concept of layered defense.

The same holds true of cybersecurity. Firewalls, two-factor authentication, data encryption, access control, security policies, physical security are more or less vulnerable on their own, but when they work together, they can create a nearly impregnable defense. A good defense is a layered defense.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.