With 2016 underway, and CIO’s taking a more critical eye at cyber security costs, and boards having a better informed definition of information risk, security organizations will be forced to evolve from past practices that were once seen as appropriate. With today’s advanced threats weighed against business priorities, CISO’s may need to abandon some assumptions and methodologies that are no longer acceptable.
3 Security Myths that Will No Longer Fly in 2016
1: A Products vendor can drive the organization’s entire security strategy
Security product salespeople will tell you that simply buying their expensive software will “address all your PCI compliance needs” or “cover 14 of the 20 critical security controls.” But the truth is that these tools neither solely ensure compliance nor fully meet the security needs of the business. Information security is about people and processes. Spending an entire year’s security budget on security software will leave an organization without the appropriate amount of staff to run the tools, and lacking in the maturity that only documented procedures can provide.
2: Vendor Security isn’t necessary (or isn’t the responsibility of the CISO)
For years the capability for a security organization to identify and assess the risk associated with third parties have been put on the back burner or left to other parts of the company. The efforts expended to protect data on internal networks are shockingly unequal to that being used to protect data of the same criticality handed without any consideration to vendors. With the criticality of data entrusted to cloud providers and application hosts, and the large percentage of high profile data breaches coming from vendor relationships in 2016, vendor security management needs to be #1 on the list of gaps to close for a CISO.
3: You won’t have any security staff turnover
It’s estimated that there will be one million unfilled cyber security jobs in 2016. Organizations invest a lot to develop security professionals internally, and the projects and initiatives of the company can often be built on the skills of these employees. However, even employees who are highly engaged and seemingly well compensated will experience salary and opportunity temptations this year that will pull a good percentage of the workforce away into new jobs. Without properly documented processes, a security organization can expect to lose a significant amount of knowledge when key employees leave for new challenges.
So What’s the Answer?
The common thread in each of these soon-to-be abandoned myths is that organizations need documented processes to address cyber risk. Set out on a plan this year to document and put in place the most critical and common security procedures that your security organization can use to enable the business and reduce threats. Having well-documented processes will lessen your dependence on tools, address third-party risks, and reduce the impact of staff turnover. By discarding these out-of-date myths, you aren’t really losing anything, but rather gaining capabilities that move you towards a more sustainable and mature security organization.
Did You Like This Post?
Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.