4 Popular Cybersecurity Myths vs. Facts

Any cybersecurity approach is only as strong as its underlying assumptions. What happens when those assumptions are wrong? Find out where confusion about cybersecurity facts can lead organisations astray.

Getting it right matters in cybersecurity. A breach can damage a company’s reputation, erode market share, and provoke fines or other penalties that have a serious bottom-line impact.

Spafford, a renowned computer science expert and 2013 inductee into the National Cybersecurity Hall of Fame, joined Trend Micro’s Greg Young and Bill Malik on their Real Cybersecurity podcast to discuss where cybersecurity facts get off-track. They touched on cybersecurity as a discipline, the current skills shortage, the dangers of over-valuing efficiency, and the impacts of emerging technologies like blockchain and AI.

1. CYBERSECURITY FACT: There’s no one thing called ‘cybersecurity’.

Organisations often see cybersecurity as a single, comprehensive function when in fact it is highly diversified and specialised. Architecture planning is radically different from app development, for instance, and incident response is by no means the same as running a NOC. Yet many HR managers and executives treat cybersecurity as a monolithic IT endeavour, hiring talent based on years of experience alone instead of by specific discipline.

2. CYBERSECURITY FACT: The skills shortage is not just a people shortage.

As threats multiply, organisations are increasingly desperate to bring on skilled cybersecurity talent—and are finding it hard to fill positions. While there is a need to attract more people into science, technology, engineering, and math (STEM) fields, it’s a fact that the skills shortage isn’t just about a lack of workers. Other structural problems keep enterprises from getting the talent they need.

A major one is the lack of investment in on-the-job training to close the gaps between academic learning and practical skills development. That limits workers’ opportunities to gain the experience companies want and can lead to organisations hiring less-than-qualified people, which creates vulnerabilities.

At the same time, companies aren’t necessarily taking full advantage of the talent that is available. Certain pools, such as military veterans, are underutilised and eager for new opportunities. All they need is some retraining.

And if businesses want more STEM talent, they also have the power to help cultivate it. Working with government and educators, companies can get involved with early outreach—promoting STEM careers to elementary and secondary students. Earlier exposure to STEM career options will also help diversify the talent pool, attracting a wider range of people to the field.

3. CYBERSECURITY FACT: Cheaper and faster isn’t always better.

Most organisations have internalised cost control and speed to market as general business values. But putting dollar-driven efficiencies before all else can have unwanted consequences when it comes to cybersecurity.

“The fact that we continue to prioritise cheap and fast over safe and secure and private is the thing that bothers me the most,” Spafford says.

He points to the example of software development. Very often new products reuse legacy code and other assets—reconfiguring them to suit new purposes by switching off features and the like. But the fact is that legacy software isn’t contextualised for today’s threat environment. Even if it was secure in its original use, it may bring unknown vulnerabilities to a new scenario. While reusing it may be affordable and efficient, it can make an organisation more susceptible to cyberattacks.

New thinking is needed to come up with meaningful metrics for security and privacy that can be weighed against cost and time so that organisations can have a clearer picture of the overall impact of what they’re building.

4. CYBERSECURITY FACT: Technology alone won’t save the day.

Technology has been and will continue to be, an essential tool for cybersecurity. But too often organisations get caught in hype cycles that cloud the pros and cons of new solutions.

Not so long ago, blockchain was touted as the saviour of data integrity. Yet it’s turned out that blockchain is rarely needed and nearly always more expensive and cumbersome than existing alternatives. A centralised database with locking and good logging is almost always a better solution than deploying a blockchain.

Now generative AI large language models are being adopted at an incredibly fast pace, promising massive efficiency gains. To be sure, generative AI does have compelling applications for cybersecurity, but it’s not ready for prime time yet. Vulnerabilities in scraped or open-source code can reappear in new AI-generated code snippets and put an organisation at risk. In a survey of companies formally using AI, Addictive Tips found that half (50%) had had an AI-related privacy breach.

Enterprises are better off putting their faith in sound cybersecurity policies and then choosing the right tools to implement those policies. Generative AI may end up being part of the mix, but no business should put all its eggs in one basket.

Challenge all assumptions to get your facts straight.

When it comes to cybersecurity, what you don’t know can hurt you—a lot. Organisations need to examine and challenge the presumptions and preconceptions they bring to the table, take advantage of resources, and anchor their cybersecurity strategies in good, clear frameworks as a foundation to protect themselves from evolving threats.

Don't wait until it's too late. Partner with Logixal for the security solutions your business needs to thrive in today's digital landscape. Stay protected, stay agile, and stay ahead of the threats.

Our tailored approach to security enables us to identify and mitigate every potential risk your business may encounter, not just today, but also in the future. With scalable solutions that adapt as your business grows, we provide the flexibility needed to maintain security without hindering your agility.