CEOs are responsible for leading all of their companies ‘ strategic planning and operations. It’s a huge responsibility. So, they can be forgiven for mistakenly believing that they are doing the right things in the right places against the right threats, and the bright and capable people they put in charge of their IT security, when in fact they are wasting large amounts of their IT security budget on things that don’t really work. Why? They were taught to believe a set of IT security myths bordering on an inaccessible dogma that is simply not true. It’s hard to do the right things efficiently when you believe the wrong things. Here are common myths about computer security that CEOs believe.
IT security knows what needs to be fixed
Probably this is one of the most important myths to dissipate. Most IT security teams, full of smart, hard-working people, don’t really know what to do. In most cases, what they work on will not lead to a drastic reduction in the risk of computer security. They’re putting too many resources in the wrong places against the wrong things because they don’t know.
The sad reality is that few IT security teams have real data to support what they think is the real issues. If the CEO were to ask the IT security team, privately, individually, what were the most significant threats to their organization, the CEO would probably be shocked to see that nobody really knows the answer. Even if somebody gave the correct answer, they wouldn’t have the data to back it up. Instead, the IT security team is full of people who don’t even agree on what the biggest issues are. If the IT security team doesn’t know what are the biggest issues, how can they fight the biggest threats most effectively? They’re not able to.
Security compliance equals better security
CEOs are on the line, both professionally and personally, to ensure that all legal and regulatory compliance requirements are met by their companies. Today, most companies are covered by IT security requirements that are multiple, sometimes disagreeable. All CEOs know that if they fulfil the obligations of compliance, they are what the professional world considers to be “safe,” or at least they do what a court would consider to be safe.
Sadly, what compliance requires is often not the same as being safe, and sometimes it can be at odds with real security. For example, we know today that the long-held password policy requirements of yesterday, including the use of long and complex passwords that need to be changed frequently over the year, cause more security risk than the use of non-complex passwords that never change. For years, we’ve known this. In most of the “official” password recommendations sent out in recent years, including the NIST publications.
This is not known to most IT security people and CEOs. They can’t follow the newer, better password guidelines even if they know about it. Why? Because to follow the new password guidelines, none of the current regulatory requirements have been updated. Safety is not always equal to compliance. It’s the opposite at times.
Keep watching this space for more.