There are many well-established myths that can hamper you in Cybersecurity Area.
Myth #1 – It’s all about IT
Imagine this scenario: a disgruntled system administrator intentionally disables your core application and deletes your most important databases.
Is this an IT issue? No, this is hardly an IT issue;more like an HR issue. Could this have been prevented by IT safeguards? No. The person in this position is required to have direct access to all of your systems.
So, the way to prevent this type of scenario falls outside the technology area and comes down to how to select your employees, how to supervise them, which kind of legal documents have been 9 Steps to Cybersecurity signed, how this person is treated within the company, and so on.
Don’t get me wrong – information technology and IT safeguards are extremely important in cybersecurity, but they alone are not enough.
These measures must be combined with other types of safeguards to be effective. And this is something I’ll explain later.
Myth #2 – Top Management has Nothing to do with Cybersecurity
You are probably aware that safeguards cannot be implemented without money and employee work time. But, if the executives in your company are not convinced this protection is worth the investment, they are not going to provide the required resources. Hence, the project will fail.
Further, if top executives do not comply with security rules and, for instance, leave the laptop (with its list of top clients together with details about sales and related correspondence) unprotected at the airport, all other security efforts will be in vain.
So, your top managers are a very important part of cybersecurity.
Myth #3 – Most of the Investment will be in Technology
False. Most of the companies I have worked with already had most of the technology in place.
What they did not have were rules on how to use that technology in a secure fashion. This is like purchasing a fancy new BMW and only using such a luxury car for delivering pizzas.
The information will be protected if everyone with access knows what is allowed and what is not, and who is responsible for every piece of information or for every piece of equipment. This is achieved by defining clear rules, usually in the form of policies and procedures.
As a rule of the thumb, I would say investment in technology is usually less than half of the required investment. In some cases, it may even be less than 10%. The majority of the investment is usually in developing the policies and procedures, training and awareness, etc.
Myth #4 – There is no ROI in Security
Yes, security costs money, and usually this protection will not bring you additional revenues.
The whole idea of cybersecurity is to decreasethe costs related to security problems (i.e.,incidents). If you manage to decrease the number and/or extent of security incidents, you will save money. In most cases the savings achieved are far greater than the cost of the safeguards; so, you will “profit” with cybersecurity.
We will talk more about Return on Security Investment in a bit.
Myth #5 – Cybersecurity is a One-time Project
False. Cybersecurity is an ongoing process. For instance, if you develop an Incident Response procedure which requires your employees to notify the Chief Information Security Officer on his or her cell phone about each incident, but then this person leaves your company, you obviously no longer want these calls to go to him or her if you want your system to be functional.
You have to update your procedures and policies, but also software, equipment, agreements, etc. And this is the job that never ends.
Myth #6 – The Documentation Myth
Writing a pile of policies and procedures does not mean your employees will automatically start complying with them.
Security is normally quite a big change and, frankly speaking, no one likes to change established practices. For example, instead of your good old “1234” password, you suddenly have to change your password every 90 days to something with eight characters, out of which at least one must be a number and one a special character.
source : 9 step to cybersecurity