Today’s security threats are real, and the business risks are tangible. Yet, many organisations manage their security program in a way that does little to address these challenges over the long term. The last thing you need is to take the wrong approach to security, spend money you don’t need to spend and end up woefully unprepared for events when they occur.
By and large, many IT people manage IT with a false sense of security, a heightened sense of their own capabilities. They appear to be getting stuff done. They’re spending money, going through the motions and things are happening. Management sees this and assumes that all is well, but it’s really not.
Some Common Fallacies That May Be Holding You Back
- Looking from a higher level at what’s taking place in the average enterprise, security is all over the place. Some people swear by their security awareness and training initiatives, yet their users’ behaviour remains wildly unpredictable. Many such efforts appear to be beneficial, but when they fail to measure users’ progress, they squander opportunities for improvement.
- The same goes for policies. Even the best security policies and procedures are useless if the organization’s practices don’t reflect them. After all, policies on their own cannot prevent a data breach. Ultimately, we all need to ask, “Does the behaviour reflect the policies?” If not, there is a problem that needs to be addressed, either with policies or behaviour, often both.
- Still, the same can be said for technology. I would estimate that roughly half of the security products and services I come across are woefully under implemented, some to the extent that you can’t help but wonder why the money was even spent in the first place.
- Some IT and security professionals believe they have completely locked down their network but there are almost always gaps. Some organizations focus too much on compliance and too little on security, while others are too trusting of their vendors.
As economist Thomas Sowell once said, “It takes considerable knowledge just to realise the extent of your own ignorance.” The mark of a true professional is someone who realizes that he or she doesn’t know everything and can’t possibly secure his or her network against all the threats that are out there. Once you acknowledge this, you’re well on your way to achieving a reasonable state of security.