However, organizations continue to drive their security efforts based on fallacies and myths, and make seemingly avoidable mistakes when it comes to information security. Ill present six common myths, in no particular order:
Network Defenses will Protect your Kingdom
Technology/Tools are the Panacea
Only Bad People are Bad
Security ROI is the Beacon
Secure Software is Costly
The Security Breach du Jour is the Most Pressing
1) Network Defenses Protect Your Kingdom
The problem isnt our networks (which are pretty well protected, by the way). Its the crappy software we write and put on the network.
There is no discipline or rigor to software engineering like there is in other engineering disciplines. Im a mechanical engineer by trade with certifications that verify my expertise in this craft. There is no correlation in the software world and we, as organizations that build and buy software, arent demanding a change.
Network defenses, like firewalls and intrusion prevention systems, have a place in a multi-layered information security solution, but they cant protect us from the majority of vulnerabilities those in the application layer.
2) Technology/Tools are the Panacea
I love tools. I worked for a software testing tools vendor for more than five years. But I also recognize that tools alone dont make people smarter, nor do they improve the process through which solutions are built. They simply make people and processes more efficient in jobs they are trained to do.
Tools dont teach a surgeon how to operate. I didnt become a better mechanical design engineer because I learned how to use AutoCAD; it just made me more efficient in the job I was already trained to do. Thats the problem. There is no training in the application development discipline and no rigor in holding teams accountable to maintaining secure infrastructures. Tools have their place in a complete information security workflow but they require people who know how to operate them to be effective.