Gartner reveals Top 10 IT security myths

False assumptions all add up to "security myths" that have gained wide credence among security pros

When it comes to information security, there are a lot of "misperceptions" and "exaggerations" about both the threats facing businesses and the technologies that might be used to protect their important data assets, according to Gartner analyst, Jay Heiser.

[MORE GARTNER:7 major trends forcing IT security pros to change]

These false assumptions all add up to "security myths" that have gained wide credence among security pros, the employees they're trying to protect from data loss and the business managers apt to blame chief information security officers (CISO)  for breaches and other mishaps. Heiser, in his presentation on this topic at the Gartner Security & Risk Management Summit held in National Harbor, Md., held forth on his "Top 10 Security Myths":

Myth #1: "It won't happen to me"

Cause: Inured by hype over risk, and letting employees do whatever they want to avoid expense and responsibilities.

Cure: Face the business responsibility to confront security-related requests; making use of a security classification framework helps

Myth #2: "Infosec budgets are 10 per cent of IT spend."

Cause: Wishful thinking---Gartner research shows the budget number is more like 5 per cent.

Cure: get some real data

Myth #3: "Security risks can be quantified"

Cause: Illusion that you can have your security budget if you try to justify it in an Excel spreadsheet, a common misperception in a "numbers-oriented culture" in which it's thought "he who has the biggest numbers wins."

Cure: Develop non-numeric expressions of risk, and seek to ensure the business unit takes ownership of its IT-related risks.

Myth #4:  "We have physical security (or SSL) so you know your data is safe"

Cause: Wishful thinking and poor understanding of risk

Cure: Ensure security purchases match data requirements

Myth #5: "Password expiration and complexity reduces risk"

Cause: Inertia. Heiser adds: "We know passwords are deeply flawed, but cracking is just not the major failure mode. Passwords are not cracked, they're sniffed."

Cure: Might not be one

Myth #6: "Moving the CISO outside of IT will automatically ensure good security"

Cause: Passing the buck. Heiser adds: "It's the old let's solve a cultural problem by re-organizing something' trick."

Cure: Analyze the root cause of weaknesses in a security program

Myth #7: "Adhering to security practices is the CISO's problem"

Cause: Passing the buck. Lines of business wants security risk to be someone else's problem, with the CISO shouldering all the risk, even though they don't feel the CISO should be able to tell them what to do.

Cure: Build an information security program around the culture

Myth 8: "Buy this tool <insert tool here> and it will solve all your problems"

Cause: External search for magic solutions to difficult problems; wishful thinking

Cure: Methodical risk analysis and prioritization, multi-year security plan

Myth #9: "Let's get the policy in place and we are good to go"

Cause: Wishful thinking

Cure: Establish management responsibility and pick your battles carefully

Myth #10: "Encryption is the best way to keep your sensitive files safe"

Cause: When encryption works, it works brilliantly. But it can cause more harm than good when there are naïve expectations about a difficult technology; sometimes it's a "search for the Holy Grail" or "magic bullets" to shoot down regulatory concerns

Cure:  Ensure you have solid experience in cryptography before making decisions

As a final cap, Heiser pointed out that many of these myths arise because of factors that are simply the human propensity to over-react in unfamiliar situations or the common organizational bent to pass the blame to someone else. "Buck passing characterizes bureaucratic risk management," Heiser noted. He said that "there's no reason the CISO should just sit there and accept all those hot potatoes," especially when employees are loading up on consumer computing technologies.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:


Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gartner securityGartner security mythsGartnersecurityCISOanti-malwareWide Area Network

More about ExcelGartnerIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts