Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cyber Tactics ColumnCybersecurity News

The Top 10 Cybersecurity Myths, Part 1

By Steven Chabinsky
Cyber Tactics Steve Chabinsky
April 1, 2015

We have been following the same cybersecurity approach, more or less, for over a decade.  Yet, most everyone agrees that the problem continues to grow worse.  Perhaps we are not on the right course.  Maybe we are operating on false assumptions.  The following list (to be continued in next month’s column) is meant to promote a dialogue about what, in my view, are widely held cybersecurity myths. 

10. The Patch Myth. It is beyond debate that systems administrators should patch their systems and, with few exceptions, should upgrade to current versions of operating systems, firmware and applications. The Patch Myth comes into play in overestimating the value of this basic tenet.  On countless occasions, I have heard very smart people suggest that there is a one-to-one relationship between patching vulnerabilities and stopping attackers who take advantage of those vulnerabilities.  The real dynamic is far more complicated.  Hackers take advantage of the easiest paths first but, when denied, routinely escalate and innovate.  Especially when it comes to targeted attacks, hackers do not simply move on to the next guy when they see a fully patched system.  Just because X% of intrusions may take advantage of known vulnerabilities, it does not follow as a matter of logic or industry experience that anywhere close to X% of those intrusions would have been eliminated had those vulnerabilities been patched.  Hackers evolve.

9.  The Invincibility Myth. The Patch Myth is part of a much larger misconception that relates to our having adopted vulnerability mitigation as the central pillar of cyber risk management, with the apparent hope of achieving invincibility.  This time-consuming and costly approach, although not without some value when correctly balanced, has come at the expense of properly resourcing threat deterrence and consequence management efforts.  It would be nice if security experts could keep all the bad guys out, but it is clear that applying all the secure coding, patching, passwords and spam filters in the world will never result in sufficient security.  Rather, the cybersecurity industry has come to realize that early detection aftera breach, followed by rapid containment and mitigation efforts are equally essential.  More significant, the world’s cyber insecurity will continue to get worse unless and until individuals and nations are sufficiently deterred from attempting to break into networks in the first place.  Successful intrusions almost always occur by hackers who first got away with thousands of unsuccessful intrusion attempts.  That dynamic would never be accepted in the physical world, and it has to change for cyber.

8. The Bad Guy Doesn’t Matter Myth. Countless times I have heard companies and government agencies argue that identifying one’s cyber adversaries is of no value.  The logic, for those who express this view, is that network administrators must defend themselves against all attack scenarios and do not have the luxury to downselect.  The truth is far more nuanced.  There are a number of good reasons to integrate cyber threat intelligence into a program.  From a practitioner’s perspective the primary advantage is to determine the tactics, techniques and procedures (TTPs) of the hacking groups that have an interest in your data and networks.  Doing so allows an organization to develop a more mature risk profile, better focus and prioritize prevention, detection and response measures, and become increasingly predictive rather than reactive.

7. The Information Sharing Myth. Many organizations discuss information sharing as a valuable initiative without first defining their operational objectives.  There is no inherent virtue in disseminating as much data as possible between as many companies and government agencies as possible without agreeing upon the end-state.  Instead, the starting point for organizations should be to prioritize their most significant cybersecurity challenges, create measures around those that define success, and then determine the leastamount of information and the smallest number of participants required to collaborate and resolve them.  Information sharing is not always required, and there typically are opportunity costs, resource challenges, legal impediments, trust hurdles and potential data overload consequences when we direct so much attention to building these platforms.

6. The National Strategy Myth. The Information Sharing Myth is part of the larger National Strategy Myth.  Simply put, we really cannot claim to have a unified strategy, which would imply understanding our objectives, developing measures of success with targeted performance goals, and advancing consistent, coordinated policy choices.  One example will suffice to demonstrate the National Strategy Myth.  The same government that routinely warns all companies that sooner or later they will get hacked, simultaneously enacted a law incentivizing healthcare providers to digitize the personal health records of every man, woman and child in our country.  Inconceivable!

           

 To be continued in May 2015.  

KEYWORDS: cyber risk mitigation cybersecurity myths patch myth security myths

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Chabinsky 2016 200px

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Cyber Security default

    The Top 10 Cybersecurity Myths, Part 2

    See More
  • Cybersecurity Requires More than a Good Plan

    10 Steps to Building a Better Cybersecurity Plan

    See More
  • cyber feat

    The Top Three Cyber Security Leadership Qualities

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

  • 9780367030407.jpg

    National Security, Personal Privacy and the Law

  • 150 things.jpg

    The Handbook for School Safety and Security

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing