10 Myths of Information Security
by Andrew Plato

Information security is sometimes misinformation security. Competing opinions and pressure to sell products has led many organizations and individuals to promote inaccurate or misleading concepts.  The following list highlights ten of the most pervasive myths that Anitian encounters in our business. This list is based on a white paper Anitian's president, Andrew Plato authored in December 2004.  The full paper is available at: www.anitian.com\corp\papers.

10. Open Source Products Are More Secure
Open source products might have the potential to be more secure, but they are not necessarily more secure by default  Poorly managed and maintained open source systems are just as insecure as poorly maintained commercial products. How software is installed, configured, and maintained has a more profound impact on the security than the underlying technology.

9.Some Organizations are Not a Target
The value of your computers or the data on them does not, necessarily, lower your target profile.  Hackers often use low-priority systems as a beachhead to gain access to more valuable systems.  Everybody is a target.

8. Patching is Critical
Patching is symptomatic of larger problems in the technology industry. Ideally, you should have mechanisms in place that make patching a process that can be done after adequate testing. There are technologies can provide a buffer and allow you to patch more casually. You should not rely solely on software manufacturers to secure their products.

7. Security Should Be Easy
Security is a complex challenge that is not made readily easy.  Technologies may be easy to use, but securing information systems is not easy. Do not confuse technology vendors claims of "easy to use" with "easy to secure."

6. Awareness Will Make Us Secure
Awareness without action is almost worse than not being aware in the first place. If you are aware that your company has security problems and you do nothing about it, then you are liable - and that is almost worse.  Awareness must go hand in hand with initiatives to make your organization more secure.

5. Security Regulations are Important
They are only important if you are not already doing a good job of securing your systems. Do not rely on government regulations to provide you guidance on how to secure information systems. 

4. Technology Makes Us Secure
Technology is a tool. And tools are only as good as their users.  Complex security technologies in the hands of unskilled users is almost worse than not having the technologies in the first place. Technology does not make you secure.  Smart people using good technologies makes you secure.

3. All Software Has Security Flaws
Developers have become too lax about coding practices and consumers have become too tolerant of badly designed applications. Demand secure code for applications you purchase or develop.

2. Security is a Journey that Never Ends
Nothing is a journey that never ends.  Establish metrics where you assess your security goals and confirm they are providing real value. All security initiatives should come to and end and then evaluated for their success. 

1. Trust Us
We do not entrust sales people to fly planes, perform surgery, or repair cars. Why then are you allowing sales people from technology companies and resellers guide your information security projects?  Seek out qualified security experts for help designing security programs. Sales people are an important part of procuring technologies and services, but they are rarely qualified to provide information security advice and guidance.

Want some more ways to secure your network, call today to setup and information interview with one of our security consultants: (503) 644-5656 or email info@anitian.com

[Home]  [Services]  [Products]  [About Us]  [Events]  [Support]  [Info Request]  [Search]