Tuesday, 20 November 2012

Top 10 Information Security Myths

Any sufficiently complex field has a collection of myths associated with it.  They appear to be a normal part of the expansion of the knowledge base, where a premise is put forward, evaluated, and either accepted or discarded.  Myths can be thought of as the fuel for the scientific method.
However some myths seem to be cherished even when provably false.  This is true in the individual fields of information technology, psychology and law, and when put together into the field of information security, they can be more pervasive and harder to dispel.

In this series we’ve distilled the feedback we’ve had from 10 years of client conversations, and come up with the top 10 myths in information security.
Like all myths, some will be busted, some are plausible and a few even confirmed.

Top 10 Information Security Myths
Myth #1: No-one will attack us
Myth #2: We've outsourced our security
Myth #3: We have the best hardware
Myth #4: We comply with PCI DSS
Myth #5: It’s too risky to patch
Myth #6: We have good physical security
Myth #7: A security review is just an audit
Myth #8: Security is too expensive
Myth #9: We trust our staff
Myth #10: We have a security plan

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com