2. Session covers
• "misperceptions“ that can shatter the best
implemented IT Security plans.
• “exaggerations” about the threats that
business could face and the security
technologies being use.
• To sum up, these false assumptions add up to
“security myths”.
• The ‘Cause’ & ‘Cure’ – busting.
9/23/2013 2
5. Myth
• An invented or a cooked up story which
doesn’t have a valid basis, a proof or a
description but people believe in it.
9/23/2013 5
6. Myth: “It won’t happen to me”
• Cause:
– Letting employees do whatever they want for
cutting down the cost.
– We’re so young. So most of our faults and
mistakes should be forgiven.
• Cure:
– Take up the responsibility to address security
related requests
– Make use of a security classification framework.
9/23/2013 6
7. Myth: “Security risks can be
quantified”
• Cause:
– The “numbers-oriented culture”
– “he who has the biggest numbers wins”.
• Cure:
– Develop non numeric expressions of risk.
– Make sure the BU takes ownerships of its IT-relatd
risks.
9/23/2013 7
8. Myth: “We have physical security (or
SSL) so you know your data is safe”
• Cause:
– Nothing but poor understanding of risk.
– Wishful thinking.
• Cure:
– Ensure security purchases match data
requirements.
9/23/2013 8
9. Myth: “Password expiration and
complexity reduces risk”
• Causes:
– Passwords are not cracked. They are sniffed.
• Cure:
– ?
9/23/2013 9
10. Myth: “We can control our people”
• Cause:
– Misguided belief placed on someone.
– BYOD
• Cure:
– Nothing much to do here. “Regulate”
9/23/2013 10
11. Myth: “Buy this tool <X> and it will
solve all your problems”
• Cause:
– External search for magic solutions to difficult
problems; wishful thinking again!
• Cure:
– Methodical risk analysis and prioritization.
– Multi-year security plan.
9/23/2013 11
12. Myth: “Encryption is the best way to
keep your sensitive files safe”
• Cause:
– Naïve expectations about a difficult technology.
– “magic bullets” to shoot down regulatory
concerns.
• Cure:
– Ensure you have solid experience in cryptography
before making decisions and jumping into
conclusions.
9/23/2013 12
14. Why?
• Factors that are simply the human propensity
(a natural tendency) to over-react in
unfamiliar situations.
• The common organizational bent to pass the
blame to someone else.
• Passing the buck, power politics.
9/23/2013 14
15. Wishful thinking
• The illusion that your wishes or desires will
become reality just because you desire them
so much.
• The mistaken belief that what you wish for is
actually true.
9/23/2013 15
16. Thanks to
• Matha, Pitha, Google, Dhaivam
• Jay Heiser (Analyst, Gartner)
• Javvad Malik (Analyst, The 451 Group)
9/23/2013 16