With 2016 underway, and CIO’s taking a more critical eye at cyber security costs, and boards having a better informed definition of information risk, security organizations will be forced to evolve from past practices that were once seen as appropriate. With today’s advanced threats weighed against business priorities, CISO’s may need to abandon some assumptions and methodologies that are no longer acceptable.
3 Security Myths that Will No Longer Fly in 2016
1: A Products vendor can drive the organization’s entire security strategy
Security product salespeople will tell you that simply buying their expensive software will “address all your PCI compliance needs” or “cover 14 of the 20 critical security controls.” But the truth is that these tools neither solely ensure compliance nor fully meet the security needs of the business. Information security is about people and processes. Spending an entire year’s security budget on security software will leave an organization without the appropriate amount of staff to run the tools, and lacking in the maturity that only documented procedures can provide.