Cybersecurity Myth Busted: We’re Secure

By: Justin Wray and Tim Grelling | February 1, 2022

Some people would chuckle incredulously at the claim that “we are secure”, but some people / organizations do think that. They think spending money and time, dedicating resources, implementing solutions, and establishing controls makes them secure.

You Need to Resolve Every Risk

The reality is that no organization is secure. There is no such thing as secure vs insecure. That’s not how security works. When you’re talking about maximizing security, you’re trying to resolve every single risk. The reality is that the adversaries only need to find the one risk you missed. And it may not be a risk you even knew about.

This happens frequently where there is a new vulnerability or zero day that is being actively exploited or weaponized by cyber criminals. So even if you do go through every single known vulnerability, and you mitigate or resolve those risks, what about the ones that are unknown? What about the ones the bad guys don’t even know about today, but they may find tomorrow? Unfortunately, your job is very difficult. You must address all these vulnerabilities and risks, and they only have to find that one that wasn’t addressed.

See how we can help you minimize organizational risk

What About Third Parties?

Even if you have robust security, a big security budget, a security-minded culture, and dedicate a lot of effort to security, you still have a potential risk in third parties. That’s another huge risk area that people tend to either miss or skip.

Third parties can be vendors who have access to your environment. They can have access to your data. They may have access to work with your customers. What about software vendors? There have been significant circumstances where security software was compromised in the software developers’ or the manufacturer’s environment. The compromise doesn’t even have to occur in your environment. All these different components are part of your environment, even though you have limited to no control over them, and those introduce risk.

Not All Incidents Are Preventable

No individual security control works 100% of the time. And no collection of those security controls gives you 100% protection. Remember:

  • Security is a Risk Management Process. Security requires continuous care and feeding. It’s a process you must continuously refine and improve.
  • Tools must be managed, maintained, and monitored. Tools should be a part of your security posture and controls. But just having tools isn’t enough. Tools can’t prevent an employee from walking out the door with a laptop that can be lost or stolen. Tools won’t prevent every single incident. Therefore, care and feeding are essential to maximize your security posture.
  • Security requires full-time attention and skills. Security must be somebody’s focus, putting your organization in the best position to prevent, detect, respond to, and recover from an incident.

Ensure you have the right processes and controls in place. Most organizations aren’t doing the basics correctly. Understanding that your environment is constantly changing, managing and monitoring detection, and having response capabilities is the key to security. To learn more, contact us today.

New call-to-action

As the Managing Director of Security Advisory at Core BTS, Justin helps organizations strategically maximize their security investments. With over 15+ years of industry experience, he has a unique perspective on the type of cybersecurity threats organizations face today.
As the Director of Innovation of Core BTS’ Security Practice, Tim specializes in helping clients develop strategies that cover all aspects of their IT security. Having been in the industry for 20+ years, Tim has worked with numerous Fortune 500 companies in various industries on their cybersecurity assessments.

Subscribe to our Newsletter

Stay informed on the latest technology news and trends

Relevant Insights

Building a Corporate AI Governance Policy

Here are ways to govern your use of AI so it aligns with corporate goals and minimizes risk Artificial intelligence...
Read More about Building a Corporate AI Governance Policy

The Data Center and Cloud Checklist for M&A and Divestiture Projects

Discover the essential components of a comprehensive data center assessment and how to ensure your new infrastructure meets current and...
Read More about The Data Center and Cloud Checklist for M&A and Divestiture Projects

How To Assess Your IT Infrastructure

Take these steps to ensure that your IT infrastructure meets the expectations of your board or leadership team Regular assessments...
Read More about How To Assess Your IT Infrastructure