The myths believed by CEOs about security
27 March 2018 | 0
CEOs are charged with leading all strategic planning and operations at their companies. It is a lot to be responsible for. So, they can be forgiven for mistakenly believing that they, and the bright and capable people they put in charge of their IT security, are doing the right things in the right places against the right threats, when in fact, they are wasting large amounts of their IT security budget on things that really do not work.
They have been taught to believe a set of IT security myths that border on unapproachable dogma that simply aren’t true. When you believe the wrong things, it is hard to do the right things efficiently. Here are common myths that CEOs believe about computer security.
- Attackers cannot be stopped
Most computer defences are so weak and ill-advised that hackers and malware can break into them at will, and that is only if the malicious intruders have not already ‘pwned’ the entire environment and been in for years. Computer defences are so bad and porous that CEOs have been told that it is impossible to stop hackers and malware. The best they can do is to “assume breach” and work at early detection and slowing attackers down once they are in the environment.
Can you imagine a military general, under attack, telling subordinates and soldiers that there is absolutely no way they can win, no matter what they do, even if you were to give him more soldiers and weapons in the right places to defend with? That is what the world of computer security wants CEOs to believe today.
While it is probably true that a dedicated, nation-state funded, hacker group cannot easily be stopped, most hackers and malware can be stopped from breaking in (the initial root cause exploit) by better doing a handful of things that the company is probably already doing, just not in the right amounts in the right places. A better-focused IT security strategy and a couple of key defences could significantly reduce most of the risk of hackers or malware from getting inside your environment.
- Hackers are brilliant
Part of the reason for the nihilistic belief that hackers and malware can never be fixed is that the world thinks that hackers are all brilliant, cannot-be-stopped, super geniuses. This romantic ideal is readily promoted in Hollywood films that often show the hacker taking over the entire world’s computers by easily guessing passwords for any system with which they are presented. Movie hackers outsmart everyone and can launch nuclear missiles and erase people’s digital identities with a few keystrokes.
This mistaken ideal is believed because most people that get hacked or infected with malware are not programmers or IT security people. To them it is sort of like a magical event that must have required Lex Luthor superpowers.
The reality is that most hackers are average joes with average intelligence and are more akin to plumbers and electricians than Einstein. Hackers just know how to accomplish a particular trade using particular tools passed down by previous tradespeople, but instead of plumbing and electricity, it is computer hacking. This is not to say that there are not brilliant hackers, but they are few and far between, just like in every other profession. Unfortunately, the myth that all hackers are brilliant just reinforces the myth that they cannot be defeated.
- IT security knows what needs to be fixed
This is probably one of the most important myths to dispel. Most IT security teams, full of intelligent and hardworking people, really do not know what they should be working on. In most cases, what they are working on will not result in a drastic reduction in computer security risk. Because they do not know, they put too many resources in the wrong places against the wrong things.
The sad reality is that few IT security teams have real data to back up what they believe to be the real problems. If the CEO were to ask the IT security team, privately, individually, what the top threats to their organisation were in order of importance, the CEO would probably be shocked to see that no one really knows the answer. Even if someone actually gave the right answer, they would not have the data to back it up. Instead, the IT security team is full of people who do not even agree with each other about what the biggest problems are. If the IT security team does not know what the biggest problems are, how can they most efficiently fight the biggest threats? They cannot.
- Security compliance equals better security
CEOs are on the line, professionally and personally, to make sure their companies meet every legal and regulatory compliance requirement. Today, most companies are covered by multiple, sometimes disagreeing, IT security requirements. All CEOs know is that if they meet the compliance obligations, that they are what the professional world considers “secure,” or at least are doing what a court would construe as being secure.
Sadly, what is required in compliance often is not the same as being secure, and it can sometimes be at odds with real security. For example, today we know that yesterday’s long-held password policy requirements, which include using long and complex passwords that must be frequently changed during the year, are causing more security risk than using non-complex passwords that never change. We have known this for years. It is literally in most of the “official” password recommendations sent out in the last few years, including the NIST publications.
Most IT security people and CEOs do not know about this. Even if they do know about it, they cannot follow the newer, better password guidelines. Why? Because none of the current regulatory requirements have been updated to follow the new password guidelines. Repeat after me: compliance does not always equal security. Sometimes, it is the opposite.
- Patching is under control
Most CEOs think that they have patching under control. By “control,” I mean that patching compliance of software is either 100% up to date or near that. Instead, I have never inventoried a computer or device, in my over 30 years of IT experience, that was fully patched. Never. Not once. Especially not the very security devices, such as routers, firewalls, and servers that are supposed to be perfectly patched. Most IT security departments probably tell their CEO that patching is “near perfect,” probably in the high 90%, but the devil is in the details.
Here is the reason for the high percentage: Most companies have hundreds to thousands of programs that they need to patch. Most of them never need patching, not because they do not have bugs, but because attackers do not attack them. The bugs do not get found and do not need to be patched.
In most organisations, maybe 10 to 20 unpatched programs represent the biggest majority of hacking risk. Of those programs, the patching accuracy rate is probably very high for most of the programs, with maybe one or two programs not being patched at a rate as high as the others. Unfortunately, it is those one or two unpatched programs that present the vast majority of risk in most organisations, but if you report on numbers alone, it might look like patching is pretty good.
For example, suppose a company only has a hundred programs to patch. Of those hundred programs, only one has a bad patching rate, let us say it is only 50% patched. The overall patching rate would be 99.5%. That seems pretty good, but what number really means is that half your computers are vulnerable and unpatched, and more than likely, that one half-patched program is one of the top unpatched programs that hackers use to break into your organisation.
I’m not even mentioning the ton of unpatched hardware, firmware and drivers that most companies do not even attempt to patch. They aren’t usually included in the patching reports. If you included them, the patching rates would look much worse. Lately, hackers are attacking hardware and firmware more frequently. It’s not a coincidence.
- Employee security training is adequate
One of the top two threats at most companies is social engineering, either arriving via email or web browser, or maybe even a phone call. Considering just the top attacks that caused the most damage, social engineering is probably involved in 99% of cases. In the last 20 years, I’m only aware of a single case where social engineering wasn’t involved in compromising a company. Most IT security teams will agree with me.
Yet, most companies devote less than 30 minutes a year to social engineering training. The computer security defence world has identified one of the top two problems in most organisations (the other is unpatched software) and yet almost no organisations act like it. Instead, employees are not adequately trained to prevent social engineering from being successful, and companies continue to get successfully hacked no matter what else they do, no matter how much money or other resources they bring to bear.
All the subsequent myths cause the first myth discussed above: that hackers and malware can’t be stopped. This forms an inefficient baseline from which all other IT security strategies are discussed. If you’re a CEO (or CSO or CISO) and you think this article is hyperbole, I challenge you to ask your IT security teams one question: “What is our biggest threat and where is the data to support it?” Ask each team member that question, privately and separately. You won’t be able to get a common answer or the data to back it up. If you don’t have agreement on what the biggest problems are, how can you efficiently fight them?
Roger A Grimes is columnist with CSO Online, holding more than 40 security certifications
IDG News Service