NATIONAL HARBOR, MD - Information security is peppered with several misconceptions and exaggerations about threats facing businesses and the technologies to combat those threats, according to a Gartner analyst.
The misconceptions have become “security myths” which are widely held among senior management, business managers, and even among security professionals, Jay Heiser, a Gartner analyst, told attendees at the Gartner Security & Risk Management Summit on Tuesday. Risk perspective is “not rational” and based on information at hand, people can misunderstand or overemphasize risk, Heiser said. This is why people may wind up emphasizing the wrong ideas, worrying over exotic issues instead of thinking about the common–and more likely–risks.
Myth #1: “It won’t happen to me”
This is the fundamental example of wishful thinking, Heiser said. In many cases, this kind of thinking is an indicator that “someone doesn't want to pay for it.” If anyone acknowledges there is a problem, then that person would have to do something about it, which may be expensive or time-consuming. “Don't ask, and then we won't have to tell” there is a problem, Heiser said.
This kind of thinking is also present in cases where the organization has become “inured to hype” because of all the “sky-is-falling” security claims. The industry has a lot of FUD, and security practitioners have to shoulder some of the blame, Heiser said. “Crying wolf is a bad idea because it makes people inured to a whole category of risk,” he said.
Security professionals can address this kind of wishful thinking by working with business to address security-related requrests. Having business managers use a security classification framework when thinking about requirements helps, as does gathering business-aligned evidence, Heiser said.
Myth #2: “Infosec budgets are 10% of IT spend.”
Here is another example of wishful thinking. Recent Gartner research shows that information security spending is closer to 5 percent of the total IT budget, Heiser said. Security managers should gather up real budget data to show what the actual percentage is.
Myth #3: “Security risks can be quantified”
There is a common misperception in a “numbers-oriented culture” that everything has a number attached to it. The illusion may be that security managers can get the budget they need if only they could justify it with an Excel spreadsheet. This is very similar to the demand, “Bring me the witch's broomstick!” in the Wizard of Oz, Heiser said. It's not possible and is really a ploy to make the security people go away, he added.
Security professionals need to recognize what can and cannot be quantified, and develop non-numeric expressions of risk. The business unit also needs to start taking ownership of its own IT-related tasks and associated risks, Heiser said.
Myth #4: “We have physical security (or SSL) so you know your data is safe”
Another example of wishful thinking, this myth also shows a poor understanding of risk, and is frequently heard from third-party providers, Heiser said. This kind of “head fake” relies on telling businesses about a superficial feature in order to convince them to buy, and reflects an immature understanding of security architecture.
Businesses should develop standards for use cases and specific control requirements appropriate which as appropriate for the data's sensitivity level. With specific requirements and data properly classified, it is harder to get distracted by non-essential items, Heiser said.
Myth #5: “Password expiration and complexity reduces risk”
Passwords are not effective and the entire scheme is deeply flawed, but many organizations cling to “obsolete historical precedent” because of inertia Heiser said. There is an element of wishful thinking, hoping that doing this would be sufficient. There is also a bit of laziness involved, as it would require more work to implement stronger authentication schemes.
“Cracking is just not the major failure mode. Passwords are not cracked, they’re sniffed,” Heiser said.
Unfortunately, there may not be a cure for this myth. Showing the evidence doesn't always work, but IT departments can teach employees to not use personal passwords for work systems. They can always make a business case for stronger authentication and see if the unit buys in to the idea.
Myth #6: “Moving the CISO outside of IT will automatically ensure good security”
This is just an example of passing the buck. “It’s the old ‘let’s solve a cultural problem by re-organizing something’ trick,” Heiser said. Organizations should analyze the security program and analyze the root cause of weaknesses and improve exective support for security objectives.
Myth #7: “Adhering to security practices is the CISO’s problem”
This is another example of passing the buck, since the line of business just wants security to be someone else's problem. This myth relies on the school of thought that says the CISO should shoulder the risk, even though the CISO should not have have the authority to tell the line of business what to do.
An executive mandate stressing the importance of security across all levels of the organization is a good place to start. This will help build business support for security goals, and to establish an information security program that everyone has input into.
Myth 8: “Buy this tool and it will solve all your problems”
This form of wishful thinking comes out of the search for the magic bullet to solve all things security, Heiser said. There is also an element of “curiosity and boredom,” as the person may be wondering what the technology could do and buying into the “magic answer” premise to justify the purchase. This myth represents a flawed understanding of the overall security problem, Heiser said.
Organizations should adopt a strategic approach to information security management and implement a multi-year plan, Heiser recommended. Having a methodical risk analysis and priorities shows everyone where the organization is headed.
Myth #9: “Let’s get the policy in place and we are good to go”
“If wirting things down could eliminate risk, ours would be a perfect world,” Heiser said. This example of wishful thinking forgets there is a lot of work left beyond just creating policies.
Organizations need to establish management responsibility and decide which security battles are worth fighting, Heiser said.
Myth #10: “Encryption is the best way to keep your sensitive files safe”
This final myth buys into the same magic bullet kind of thinking that was prevalent in other myths. There is always the search for the Holy Grail, and many–security professionals and business managers alike–are buying into the thought that encryption would handle all regulatory concerns. It is, at best, “naive expectations about a difficult technology,” Heiser said.
“When encryption works, it works brilliantly, but it can cause more harm than good” if not implemented correctly, Heiser said.
Organizations should ensure they have someone with solid experience in cryptography before making decisions, and avoid proprietary implementations. They should look at access control, activity monitoring, and data-loss prevention for situations where cryptography is impractical.
Many of these security myths came about simply because people tend to overreact in unfamiliar situations and to blame someone else when something goes wrong.
“There’s no reason the CISO should just sit there and accept all those hot potatoes,” especially when employees are loading up on consumer computing technologies, Heiser said. There is a strong motivation to underestimate risk, to avoid additional expenses or inconvenience, and an unwillingness to give up control.
The security organization can tackle these challenges with a methodical approach and creating a holistic view of risk. By improving risk perception, security professionals can work with managers to prioritize risk across multiple domains.
It's also important to not fall in the trap of security theater, Heiser warned. Sometimes, there's a tendency to address the most visible risks instead of the most dangerous ones, or implementing visible controls instead of the most effective ones, Heiser said.
Incorporating human factors, such as how people react to ambiguous and risky situations, will ensure the security program will react to business needs. Organizations need to create mechanisms that help business managers conceptualize security risks, Heiser said.