Stephanie Balaouras, a
principal analyst and research director at Forrester Research, put it a little
differently at a recent press event, noting that no one designs an airplane
without thinking about security at the start of the design process. "It
sounds crazy to deploy and then think about security, but that's what is
happening in many organizations," Balaouras told eWEEK.
Related to security,
Pfleeger said the second erroneous perception was the idea that privacy could also
be added back in afterward. Organizations are under pressure to get the service
or product off the ground and get people interested to build buzz, he said.
While he called out Facebook as one of the culprits of this kind of thinking,
he said other social media sites and organizations were guilty of the same. Facebook
is the poster child just because it happens to be one of the largest examples,
Many security professionals
say that encryption solves all security issues, but in actuality, that
expectation is "overrated," Pfleeger said. While protecting the data
is important, the reality is that there are problems with implementation,
leaving data unprotected. Organizations also have difficulty managing the keys
effectively, such as storing them in insecure locations, or not knowing where
the keys are after essential employees leave the company.
It's very common to pick one
product or technology and claim it is a cure-all, Pfleeger said. Antivirus,
intrusion-prevention systems and network tools are all good but none of them
can do it all, he said. Security tools that are effective generally tend to be
very specialized, which means it can't be a "silver bullet" capable
of handling all kinds of security threats. Organizations have different
environments, risk levels and requirements, which means different products will
address different needs.
Many executives believe that
security has to be perfect, "or it's not even worth talking about,"
Pfleeger said. This puts the contractor in a quandary, because it isn't
possible to counter all threats. but that isn't what the client wants to hear,
he said. A related myth is the idea that security is easy and "we can do
Pfleeger used another
building analogy, noting that he could probably do some aspects of
construction, but he doesn't. He "lets people who have done it many times
and know what they're doing" take care of the job.
To counter these
misconceptions, Pfleeger recommended that IT and security professionals think
like an attacker so they can learn about systems and potential threats. They
should recognize the limits of technology and work accordingly and counter the
erroneous notions and myths about security when they come across them, he said.