By Bob Lonadier

Fact becomes history. History becomes legend. Legend becomes myth. For information security it gets harder and harder to separate mythology from reality. Changing threat landscapes and the tools and technology required to effectively deal with next generation threats and vulnerabilities can quickly obsolete even the most well reasoned conventional wisdom. Let’s look at five security myths, explore the reasoning behind them, and then suggest new ways to tackle the problems.

Increased spending will result in greater security. Information security managers are always looking for benchmark data that will help them to justify security spending as a percentage of IT spending. The problem with this approach is that they usually end up paying more for security and not necessarily being more secure. Each company has a unique threat profile that will determine the types of security investment that are required. Add these all up and you get an average spending level, but the information is hardly useful to a specific firm. Companies that use benchmarks to guide their security investment strategy end up more often than not making poor security choices, either spending way to much to give the appearance of spending "right" or not enough on the critical security components for their business. The worst part of it is that critical vulnerabilities go unprotected, leading to less security, not more.

Security spending cannot be generalized, it must be looked at on a case-by-case basis. The most successful companies at managing security risk within a budget establish a risk profile specific to their firm and then carefully allocate spending to meet that level of security. Most of the funding is spent on people, not technology, as security awareness is a visible and important part of that spending.

Most threats are internal, not external. Is a temporary or a contract employee an insider or an outsider? How about a trading partner employee helping with the integration? As more and more companies become interconnected as a means to improve product delivery, decrease costs, and increase customer and supplier efficiency the definition between inside and outside begin to disappear.

Many companies are defining access control policies that treat insiders as outsiders depending on where and how they are coming into the network, the applications that they are using, and the sensitivity of the information that they are accessing.

People are the solution to greater security awareness. People can be the solution to greater security awareness, but they also can be the source of much confusion in defining and implementing security policy. Without the proper training, people are much more likely to be part of the problem, not part of the solution. With companies trying to take the human element out of the business equation (i.e., layoffs) most companies are in a very poor position to better educate their employees on security awareness.

The most successful organizations use lack of security awareness as a proxy for corporate dysfunction. If management is not doing a good job in training its employees on security do’s and don’ts then there likely are other personnel issues that need to be addressed. Disgruntled employees are made, not born.

Information security must be managed out of a separate organization in order to be effective. Mixing security in with IT or, heaven forbid, physical security is often touted as a recipe for disaster. It's too difficult to keep track of what's going on with security when it's part of a larger organization. Security needs to be separate so that professionals can dedicate themselves to security policy creation and enforcement, and people need to know who's the boss when it comes to choosing and implementing appropriate information security for an organization.

Keeping information security together so that they can speak with a consistent, clear voice is not a bad idea. Nor is the idea of a chief information security officer a bad one, it just runs into the same problems that the Office of Homeland Security does - a department in name only whose real job is running interference for all the various organizations with the word "security" in their charter. Keeping all information security professionals together risks alienating the very groups that they will need to count on to lead security awareness and effectiveness campaigns. Some organizations have taken a hybrid approach by keeping a core security architecture team focused on developing next generation security architectures and, most importantly, the business case justification for implementing (or not) a particular security program and policy. Additional information security professionals can then be sprinkled throughout the organization, providing the hands-on expertise that is needed and helping keep security more visible.

Outsourcing security puts the "keys to the kingdom" at risk. If a company does not have its act together with respect to security outsourcing it to a third party is only going to make matters worse. However, those that are trying to put together a corporate-wide security policy and also trying to balance the costs and benefits of an insourced security program will not suffer undue harm from outsourcing part or all of your security infrastructure, if it is done properly.

With any outsourcing decision, the goals and objectives of the program must be clearly defined. The service level agreements need to be carefully designed and matched to the business needs of the firm. Typically companies who choose security service providers find is that they now have access to information about the security status of their company that they could never have pulled together previously. This new information allows them to explore security architecture and implementation alternatives that were simply not feasible given the level of effort required.

Just as antilock brakes put an end to the conventional wisdom that "thou shall steer into a skid in slippery conditions" so too is it time to put many security myths to rest. Changing threat landscapes and new information security tools and technology place many information security professionals on unsure ground. Challenging conventional wisdom and testing assumptions will become an important role for the information security professional in the months and years to come.