Myth 1: I don’t have anything worth stealing or protecting
Every organization has something worth stealing, says Josh Emde, a lead security architect. If not the intellectual property or trade secrets, a brand reputation or trust is always at stake. Take breaches within the retail industry as an example – in addition to millions of customer credit cards being compromised, a company’s brand reputation takes a significant hit that often leads to lost sales, regulatory fines, identity theft monitoring payout and a long road to rebuilding customer loyalty.
Myth 2: We don’t think we can be compromised
It’s not if we can be compromised, it’s when will we be compromised. In this day and age with nation-state hacking organizations, sophisticated and prolonged attacks, etc. it’s impossible to stay ahead of trends and be 100% safe. It’s important to implement safeguards, but how —and how quickly— we react to and remediate compromises is just as important.
Myth 3: Compliance is the same as security
Many organizations aspire to a level of compliance as a corporate goal, and they assume that being compliant with a standard brings them into a secure state. Unfortunately, compliance with a standard really just means that you have minimal controls in place to pass an audit in a certain area, but it doesn’t mean that the rest of your infrastructure is actually secure. A mature security program with robust security controls is a necessary foundation for compliance, not the other way around.
Myth 4: When something goes wrong, everything I need to know is in application log data
Mike Orosz, senior manager of threat and investigative services at Citrix, says a common myth is applications and hardware are actually logging and if they are the data is useful. Everyone is talking about using application log data in order to better understand security risk. Terms like “machine learning” and heuristics are in circulation and sound exciting. However, before anyone can dive into risk rating user behavior a few questions need to be answered:
- Is there an implemented enterprise logging policy? Is it implemented?
- Are the logs aggregated and analyzed? If so, is the aggregation done in a way that will allow the data to be easily used.
Myth 5: Enterprise security policies will automatically fix security problems
The need for security risk mitigation can often be preempted by well implemented security policies and standards. Successfully implementing great policies is largely reliant on shared ownership. Since security policies should enable teams held liable, a blended policy review and approval group, comprised of stakeholders, should be at the epicenter of the application of policies and standards. Lastly, an internal control to ensure compliance and long-term success an annual review board should review enhancements and exceptions.