If You Could Debunk Any Cybersecurity Myth in the World
We asked 70 cybersecurity professionals, old and new: If there is one myth that you could debunk in cybersecurity, what would it be?
This series is part of the countdown to our official Tribe of Hackers release on January 28th. Subscribe to our weekly Risk Report newsletter to get first-hand access to Amazon order details.
Every industry has myths and stereotypes that the professionals within them would like to debunk. We believe cybersecurity is a prime example—almost every professional we interviewed had a different answer. Here are some of our favorites:
The biggest myth that I hear is how attackers are always changing up their tactics. While it is true that new exploits come out over time, the initial exploit is just the tip of the iceberg when it comes to attacker movement on a system or network.
Even if an organization is compromised by a zero-day attack, the lateral movement, registry manipulation, network communications, and so on will be very apparent to a mature cybersecurity practitioner and program. So, their tactics don’t really change a lot.
— Marcus Carey, @marcusjcarey
The myth that individuals who work in cybersecurity are all one type of person.
Cybersecurity is a wide field with many different types of jobs and consists of individuals from various backgrounds. In fact, the industry greatly benefits from hiring people of differing backgrounds, precisely because crafting solutions to difficult and nuanced problems in this space requires differing opinions. However, because so many people believe they need to fit a certain type of mold to succeed in this industry, many don’t even consider it as a possible career option. As a biracial woman who only started coding in college, I want to encourage as many people as possible to consider the field, even if they don’t “fit the mold.”
— Winnona DeSombre, @__winn
That security cannot be increased without lowering usability. I do believe that security is a compromise between usability, security, and price—you can get two, but you can never get all three.
— Sami Laiho, @samilaiho
“Security is hard!” That would be the myth I would like to debunk. I look at security as an ongoing, evolving challenge that anyone can participate in. To start debunking this myth, I believe that, as security practitioners, we need to be explicit with our language and ensure that we are collectively speaking and using the same terminology. One of my personal goals is to reduce the barrier to entry when it comes to security and how it is explained to people. Security is a complex problem that contains many components and there is something for everyone. We should be open to helping and teaching all.
— Charles Nwatu, @charles_nwatu
I’d like to put to rest the idea that preventative security alone can solve all your security problems. This may sound strange since that’s how most preventative security products are marketed. “Buy our panacea solution and you will never have to worry about security again!” And yet, all these enterprises with their giant security budgets are still getting breached. What’s missing? Penetration testing, vulnerability assessment, impact analysis, call it what you want; the missing piece is simply confirming that your security solutions hold up under a simulated attack, then finding the weaknesses and limiting the impact of a successful breach as much as possible. No preventative solution alone can stop sophisticated attacks.
— Georgia Weidman, @georgiaweidman
Remember to subscribe to our weekly Pulse to get first-hand access to our Amazon order link and official book launch.