6 myths CEOs believe about security

Want a more effective IT security strategy? Dispel your CEO and senior management of these common cybersecurity misconceptions.

Roger A. Grimes Mar 27th 2018

CEOs are charged with leading all strategic planning and operations at their companies. It’s a lot to be responsible for. So, they can be forgiven for mistakenly believing that they, and the bright and capable people they put in charge of their IT security, are doing the right things in the right places against the right threats, when in fact, they are wasting large amounts of their IT security budget on things that really don’t work.

Why?

They have been taught to believe a set of IT security myths that border on unapproachable dogma that simply aren’t true. When you believe the wrong things, it’s hard to do the right things efficiently. Here are common myths that CEOs believe about computer security.

1. Attackers can’t be stopped

Most computer defenses are so weak and ill-advised that hackers and malware can break into them at will, and that’s only if the malicious intruders haven’t already pwned the entire environment and been in for years. Computer defenses are so bad and porous that CEOs have been told that it’s impossible to stop hackers and malware. The best they can do is to “assume breach” and work at early detection and slowing attackers down once they are in the environment.

Can you imagine a military general, under attack, telling subordinates and soldiers that there is absolutely no way they can win, no matter what they do…even if you were to give him more soldiers and weapons in the right places to defend with? Neither can I, but that’s what the world of computer security wants CEOs to believe today.

While it’s probably true that a dedicated, nation-state funded, hacker group can’t easily be stopped, most hackers and malware can be stopped from breaking in (the initial root cause exploit) by better doing a handful of things that the company is probably already doing, just not in the right amounts in the right places. A better-focused IT security strategy and a couple of key defenses could significantly reduce most of the risk of hackers or malware from getting inside your environment. 

2. Hackers are brilliant

Part of the reason for the nihilistic belief that hackers and malware can never be fixed is that the world thinks that hackers are all brilliant, can’t-be-stopped, super geniuses. This romantic ideal is readily promoted in Hollywood films that often show the hacker taking over the entire world’s computers by easily guessing passwords into any system they are presented with. Movie hackers outsmart everyone and can launch nuclear missiles and erase people’s digital identities with a few keystrokes.

This mistaken ideal is believed because most people that get hacked or infected with malware aren’t programmers or IT security people. To them it’s sort of like a magical event that must have required Lex Luthor superpowers.

The reality is that most hackers are average joes with average intelligence and are more akin to plumbers and electricians than Einstein. Hackers just know how to accomplish a particular trade using particular tools passed down by previous tradespeople, but instead of plumbing and electricity, it’s computer hacking. This is not to say that there aren’t brilliant hackers, but they are few and far between, just like in every other profession. Unfortunately, the myth that all hackers are brilliant just reinforces the myth that they cannot be defeated.

3. IT security knows what needs to be fixed

This is probably one of the most important myths to dispel. Most IT security teams, full of intelligent and hardworking people, really don’t know what they should be working on. In most cases, what they are working on will not result in a drastic reduction in computer security risk. Because they don’t know, they put too many resources in the wrong places against the wrong things.

The sad reality is that few IT security teams have real data to back up what they believe to be the real problems. If the CEO were to ask the IT security team, privately, individually, what the top threats to their organization were in order of importance, the CEO would probably be shocked to see that no one really knows the answer. Even if someone actually gave the right answer, they wouldn’t have the data to back it up. Instead, the IT security team is full of people who don’t even agree with each other about what the biggest problems are. If the IT security team doesn’t know what the biggest problems are, how can they most efficiently fight the biggest threats? They can’t.

4. Security compliance equals better security

CEOs are on the line, professionally and personally, to make sure their companies meet every legal and regulatory compliance requirement. Today, most companies are covered by multiple, sometimes disagreeing, IT security requirements. All CEOs know is that if they meet the compliance obligations, that they are what the professional world considers “secure,” or at least are doing what a court would construe as being secure.

Sadly, what is required in compliance often isn’t the same as being secure, and it can sometimes be at odds with real security. For example, today we know that yesterday’s long-held password policy requirements, which include using long and complex passwords that must be frequently changed during the year, are causing more security risk than using non-complex passwords that never change. We’ve known this for years. It’s literally in most of the “official” password recommendations sent out in the last few years, including the NIST publications.

Most IT security people and CEOs don’t know about this. Even if they do know about it, they can’t follow the newer, better password guidelines. Why? Because none of the current regulatory requirements have been updated to follow the new password guidelines. Repeat after me, compliance does not always equal security. Sometimes, it’s the opposite.

5. Patching is under control

Most CEOs think that they have patching under control. By “control,” I mean that patching compliance of software is either 100 percent up to date or near that. Instead, I’ve never inventoried a computer or device, in my over 30 years of IT experience, that was fully patched. Never. Not once. Especially not the very security devices, such as routers, firewalls, and servers that are supposed to be perfectly patched. Most IT security departments probably tell their CEO that patching is “near perfect,” probably in the high 90 percent, but the devil is in the details.

Here’s the reason for the high percentage: Most companies have hundreds to thousands of programs that they need to patch. Most of them never need patching, not because they don’t have bugs, but because attackers don’t attack them. The bugs don’t get found and don’t need to be patched.

In most organizations, maybe 10 to 20 unpatched programs represent the biggest majority of hacking risk. Of those programs, the patching accuracy rate is probably very high for most of the programs, with maybe one or two programs not being patched at a rate as high as the others. Unfortunately, it’s those one or two unpatched programs that present the vast majority of risk in most organizations, but if you report on numbers alone, it might look like patching is pretty good.

Here’s an example. Suppose a company only has a hundred programs to patch. Of those hundred programs, only one has a bad patching rate, let’s say it’s only 50 percent patched. The overall patching rate would be 99.5 percent. That seems pretty good, but what number really means is that half your computers are vulnerable and unpatched, and more than likely, that one half-patched program is one of the top unpatched programs that hackers use to break into your organization.

I’m not even mentioning the ton of unpatched hardware, firmware and drivers that most companies don’t even attempt to patch. They aren’t usually included in the patching reports. If you included them, the patching rates would look much worse. Lately, hackers are attacking hardware and firmware more frequently. It’s not a coincidence.

6. Employee security training is adequate

One of the top two threats at most companies is social engineering, either arriving via email or web browser, or maybe even a phone call. Considering just the top attacks that caused the most damage, social engineering is probably involved in 99 percent of cases. In the last 20 years, I’m only aware of a single case where social engineering wasn’t involved in compromising a company. Most IT security teams will agree with me.

Yet, most companies devote less than 30 minutes a year to social engineering training. The computer security defense world has identified one of the top two problems in most organizations (the other is unpatched software) and yet almost no organizations act like it. Instead, employees are not adequately trained to prevent social engineering from being successful, and companies continue to get successfully hacked no matter what else they do, no matter how much money or other resources they bring to bear.

All the subsequent myths cause the first myth discussed above: that hackers and malware can’t be stopped. This forms an inefficient baseline from which all other IT security strategies are discussed. If you’re a CEO (or CSO or CISO) and you think this article is hyperbole, I challenge you to ask your IT security teams one question: “What is our biggest threat and where is the data to support it?” Ask each team member that question, privately and separately. You won’t be able to get a common answer or the data to back it up. If you don’t have agreement on what the biggest problems are, how can you efficiently fight them?