When it comes to information security, there are a lot of "misperceptions" and "exaggerations" about both the threats facing businesses and the technologies that might be used to protect their important data assets, according to Gartner analyst Jay Heiser.
These false assumptions all add up to "security myths" that have gained wide credence among security pros, the employees they're trying to protect from data loss, and the business managers apt to blame chief information security officers (CISO) for breaches and other mishaps.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
[MORE GARTNER:7 major trends forcing IT security pros to change]
Heiser, in his presentation on this topic at the Gartner Security & Risk Management Summit held in National Harbor, Md., held forth on his "Top 10 Security Myths":
Myth #1: "It won't happen to me"
Cause: Inured by hype over risk, and letting employees do whatever they want to avoid expense and responsibilities.
Cure: Face the business responsibility to confront security-related requests; making use of a security classification framework helps
Myth #2: "Infosec budgets are 10 percent of IT spend."
Cause: Wishful thinking -- Gartner research shows the budget number is more like 5 percent.
Cure: get some real data
Myth #3: "Security risks can be quantified"
Cause: Illusion that you can have your security budget if you try to justify it in an Excel spreadsheet, a common misperception in a "numbers-oriented culture" in which it's thought "he who has the biggest numbers wins."
Cure: Develop non-numeric expressions of risk, and seek to ensure the business unit takes ownership of its IT-related risks.
Myth #4: "We have physical security (or SSL) so you know your data is safe"
Cause: Wishful thinking and poor understanding of risk
Cure: Ensure security purchases match data requirements
Myth #5: "Password expiration and complexity reduces risk"
Cause: Inertia. Heiser adds: "We know passwords are deeply flawed, but cracking is just not the major failure mode. Passwords are not cracked, they're sniffed."
Cure: Might not be one
Myth #6: "Moving the CISO outside of IT will automatically ensure good security"
Cause: Passing the buck. Heiser adds: "It's the old let's solve a cultural problem by re-organizing something' trick."
Cure: Analyze the root cause of weaknesses in a security program
Myth #7: "Adhering to security practices is the CISO's problem"
Cause: Passing the buck. Lines of business wants security risk to be someone else's problem, with the CISO shouldering all the risk, even though they don't feel the CISO should be able to tell them what to do.
Cure: Build an information security program around the culture
Myth 8: "Buy this tool <insert tool here> and it will solve all your problems"
Cause: External search for magic solutions to difficult problems; wishful thinking
Cure: Methodical risk analysis and prioritization, multi-year security plan