16
10 Myths of Information Security Greg Sternberg, MSc, CISSP
| Date post: | 12-Aug-2015 |
| Category: |
Documents |
| Upload: | greg-sternberg-msc-cissp |
| View: | 130 times |
| Download: | 2 times |
10 Myths of Information Security
Greg Sternberg, MSc, CISSP
Myths
Myth #1: Security doesn't need to know a company's business
Today, not only the consumer but everyone in the world (potentially) has access to a company's data and applications.
security and legal have more in common than IT and security
security is part of your business because criminals want part of your business
Myth #2: Security prevents break-ins
the 'right' amount of security will prevent a break-in
doctor's role in preventing a cold
security is responsible for monitoring the health of a company
Myth #3: Security makes your company safer
Seat belts actually enable you to drive faster
lets the company take bigger risks
Lawyers don't decide if a company's marketing strategy should target the 20-25 demographic but they will tell you what the legal risks are
Myth #4: What you don't know won't hurt you
breaking their supposedly unbreakable code
you locked the door to your house but did you know your back door was unlocked - Security is both a feeling and a reality. And they're not the same.
Ignorantia juris non excusat
Myth #5: I'm not a target because [insert a reason]
It doesn't matter what you think you have or don't have it's what the attacker thinks you have or could do for them
what would happen if every computer in your company became a brick because the attacker encrypted the hard drive of every computer
ramifications might be if a company's computers were used to break into another company's computers? How about if company computers were used to launch a cyber attack on another country? Or on a country that company does business in
Myth #6:Security is something you can complete
Since things in IT have end dates and can be delivered many think security has the same criteria
“Why do the police wear kelvar vests today and they didn't in the 60's?” The answer is, “Because the criminals have bigger guns then they did in the 60's.”
Attackers aren't static
Myth #7: We are better than attackers because [insert reason]
young naive teenagers who have pasty skin and live with their mothers
They can have teams who have distinct purposes and are managed like any project in a corporation
#3 Sternberg Arabians,
L.L.C 16435 N Scottsdale Rd
#440 Scottsdale, AZ 85254
Myth #8: Security insurance will solve security
I'll just buy security insurance instead of paying for a security program
Insurance companies may sell protection but they're in the game to make a profit. And they don't make a profit by paying for breaches
Insurance can't pay for everything
Does your company have to pockets of Sony (or Target or Home Depot or ...)?
*Apologies to Travelers
Myth #9: Compliance = security
PCI compliant with passwords like 'Passw0rd!'
HITECH doesn't prevent employees from phishing attacks
No compliance regulations will protect a company from a zero day attack
PCI 2.0 was released in 2010 and it took three years before 3.0 was released
Myth #10: The job of security is security
CFO a corporate officer primarily responsible for managing the financial risks of the corporation
CLO: In a company, the person holding the position typically reports directly to the CEO, and their duties involve overseeing and identifying the legal issues in all departments and their interrelation, including engineering, design, marketing, sales, distribution, credit, finance, human resources, production, as well as corporate governance and business policy.
...vs...
Programmer: Creates and modifies computer programs by converting project requirements into code
Human resources manager: The HR Generalist manages the administration of the human resources policies, procedures and programs.
Myth #10: The job of security is security
CSO description (from investopedia):
The company executive responsible for the security of personnel, physical assets and information in both physical and digital form. The importance of this position has increased in the age of information technology as it has become easier to steal sensitive company information.
Myth #10: The job of security is security
CSO description (from investopedia):In a company, the CSO duties involve overseeing and identifying the security and privacy issues in all departments and their interrelation, including engineering, design, marketing, sales, distribution, credit, finance, human resources, production, as well as corporate governance and business policy. This would naturally require in most cases reporting directly to the owner or CEO overseeing the very business on which the CSO is expected to be familiar with and advise on the most confidential level. This requires the CSO to work closely with each of the other officers, and their departments, to appropriately be aware and advise.
Questions?
<blah>
Supporting Slides