Gartner Analyst Jay Heiser explained that in InfoSec, there are a lot of "misperceptions" and "exaggerations" about both the threats you face and the solutions you use to protect your networks. All this false data boil down to "security myths" which are widely known and regularly used to explain things. Here are the ten myths, and a link to Ellen Messmer's article in InfoWorld where each of them gets busted and/or the cure is provided. This is a good read!
- "It won't happen to me"
- "InfoSec budgets are 10 percent of IT spend."
- "Security risks can be quantified"
- "We have physical security (or SSL) so you know your data is safe"
- "Password expiration and complexity reduces risk"
- "Moving the CISO outside of IT will automatically ensure good security"
- "Adhering to security practices is the CISO's problem"
- "Buy this tool <insert tool here> and it will solve all your problems"
- "Let's get the policy in place and we are good to go"
- "Encryption is the best way to keep your sensitive files safe"
Here is the link: http://www.infoworld.com/d/security/top-10-it-security-myths-putting-businesses-risk-220570
