Security Myth #7: The U.S. electric grid is well-protected under the North American Electric Reliability Corp.'s Critical Infrastructure Protection (CIP) requirements.
Joe Weiss, managing partner at Applied Control Solutions, argues that's a myth because CIP, drawn up by the industry itself, applies only to bulk distribution of power, not the entire distribution system, and also specifies only a certain size of power generation. "80% of the generation in the U.S. doesn't have to be looked at under CIP."
Security Myth #8: I am compliant, therefore I am secure.
Bob Russo, general manager at the PCI Security Standards Council, says it's a common notion that businesses think once they get compliant with the data-security rules for payment cards, they're "secure once and for all." But checking the box for compliance only represents a "snapshot in time" while security is a continual process related to people, technology and processes.
Security Myth #9: Security is the chief information security officer's problem.
Phil Dunkelberger, president and CEO at start-up Nok Nok Labs, says the CISO is going to get the blame for a data breach, mainly because their job has them setting a policy or technical course. But many others in the organization, especially the IT operations people, also "own security" and they need to shoulder more responsibility for it.
Security Myth #10: You're safer on your mobile device than on the computer.
Dr. Hugh Thompson, RSA Conference Program Committee Chair, contends that while this "frequent assumption" has some merit, it underestimates how some traditional safeguards for computers, such as masked passwords and URL previewing, don't apply to mobile devices today. "So while mobile devices still offer more security safeguards than laptops or desktops, several traditional security practices that are broken can leave you just as vulnerable."
Security Myth #11: You can be 100% secure but you need to give up personal freedoms.
Stuart McClure, CEO and president of start-up Cylance, says don't buy the argument that to combat the bad guys online, we have to "submit all our traffic to the government to do it." Better to get to know the bad guys really well and "predict their moves, their tools," and "get into their skin."
Security Myth #12: Point-in-time security is all you need to stop malware.
Martin Roesch, founder of Sourcefire and inventor of the Snort intrusion-detection system, says security defense too often is limited to catching or not catching any type of attack, and if it's missed, that defense "practically ceases to be a factor in the unfolding follow-on activities of an attacker." A newer model of security operates continuously to update information even if the initial attack on the network is missed in order to understand the scope of the attack and contain it.
Security Myth #13: With the right protection, attackers can be kept out.
Scott Charney, Microsoft corporate vice president Trustworthy Computing, says, "We often associate security with keeping people out; locks on our doors, firewalls on our computers. But the reality is that even with sophisticated security strategies and excellent operations, a persistent and determined attacker will eventually find a way to break in. Acknowledging that with reality, we should think differently about security." For the entire security community, that means a "protect, contain and recover" approach to combat threats today and in the future.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org.
Read more about wide area network in Network World's Wide Area Network section.