Earlier this week, an op-ed published on The Hill sent information security (infosec) Twitter into a tizzy by blaming cybersecurity industry best practices for recent high-profile security breaches. For the security team at Forrester, the op-ed furthered a number of security myths that we felt compelled to bust here.
Myth #1: The Best Infosec Pros Have Never Had A Security Incident
A quick nose count among the Forrester security and risk (S&R) team determined that if security teams only hired people who had never worked for a firm that had suffered a security incident, most of us would no longer be employable. We posted a poll on Twitter, and the responses confirmed what we expected:
Breaches are opportunities to learn for companies, practitioners, and the entirety of the industry. Gaps in visibility, procedural errors, poor implementations, bad decisions, and incorrect or incomplete information can all combine to make breaches worse. We learn how to overcome those by sharing information, not shaming individuals.
Myth #2: Perfect Security Exists
Not only have most of us worked for a company that’s suffered an incident, but incidents are inevitable. Fifty-nine percent of global security decision-makers responding to the Forrester Analytics Business Technographics® Security Survey, 2020, say that their firm’s sensitive data was breached at least once in the past year. Incidents happen. Breaches happen. Smart organizations don’t throw stones or chase ambulances but instead approach security with a post-breach mindset.
Those who lack an understanding of security may believe that zero-incident security is possible or that the perfect chief information security officer is the one who never had an incident. These are some of the misunderstandings in the difference between security and risk. If you want perfect security, disconnect from the internet, and unplug every computer. Since that’s not realistic, security teams take calculated risks and figure out to what extent they can expose the organization to still do business but decrease the likelihood of a breach.
Myth #3: Security Best Practices Are Academic Ideals That Don’t Work
It’s easy to critique nebulous “security best practices” as not being robust enough to prevent attacks, but most experts will tell you breaches occur not due to inappropriate best practices, but because best practices are not being followed. Statements about needing a “renaissance” in the security space directly fails to understand or bring empathy to the depth of the challenge. It’s easy to say that the security industry needs a renaissance; it’s hard to actually say what that would look like and how that would better address the challenges we face. It’s easy to say, “Let’s implement Zero Trust.” It’s tough to actually be the one that has to execute. Anyone in the trenches can explain why, just like content marketers know it’s not enough to write a blog full of buzzwords and product managers know they can’t implement every killer feature they want immediately.
Bust The Myths And Influence The Change That Security Really Needs
The saddest thing is that while these myths ring false to most security practitioners, there is a subset within IT and the business that likely believes them. After all, security does not necessarily have the rosiest of reputations, and that is something the profession has been working hard to correct. Unfortunately, this lack of support is unhelpful at best and deeply damaging at worst. In fact, one of the top causes of toxicity in security today is the lack of organizational support.
While it’s easy to be frustrated with outdated and outrageous views, there are steps that you can take to help close that gap in understanding. As you build a culture of security, put some focus on transparency, pushing outside the silos and sharing both the reasons for best practices and the successes that they yield.
A security-aware and transparent culture has the potential to make or break the upward momentum of security programs and your brand. This doesn’t occur by a miracle, but by taking a methodical approach to: 1) set the tone from the top with your board; 2) build a human-centric security program; 3) build support, manage detractors, and navigate politics; 4) move outside the silos with security champions, whether they’re developers helping you address application security issues or champions helping you rebrand; and 5) trumpet your progress and successes across the organization.