The IT Security Fallacy

Don’t let the IT security fallacy get you. I have been working in the IT and IT Security industry for about 30 years. I spent many hours in the trenches working on the latest new technology of the day. Figuring out how we are going to get some new technological piece of wizardry to launch us into a new era of productivity, cost savings, and or safety. I also worked for years on the end user side when we were the consumers of these technologies and we were the ones spending the money, betting our jobs on hopefully the new fancy widget working.

For all of these years, there have been technology upgrades developments and promises about security technology. The claims were just as big and bold. If you don’t use this new appliance or that new software you will be doomed to suffer a security attack of major proportions and will be destroyed. Well, maybe I was exaggerating that last claim. But you get the picture. And if you are part of the end user community you know exactly what I am talking about. The IT security fallacy is at play here.

What Really Happens

But inevitably we buy the new security technology and we struggle to get it installed. We turn it up and hold our breath. Most of the times they work sometimes they don’t. Occasionally someone does lose their job. But something else happens. What happens is what always happens we get more and more attacks,  and more major headline-grabbing security breaches.

It is probably time that we took a step back and look at what we are really doing. Sometimes we need to look back down the road we just traveled and evaluate our progress and if we are heading in the right direction. Let’s take a quick look back at the cold hard facts. From 2014 to 2015 the retail sector saw an increase in of 159% in financial losses. That same period saw an increase of 44% of cyber attacks over all industries. That was a 12% increase in per capita cost over 2013. Ponemon Institute a respected research organization has shown an increase of $3 million per incident a few years ago to about $6 million today.

The estimate of total cost of cyber attacks in 2014 was estimated by a McCaffe study at around $445 billion. And it has gone up every year. And estimates say that it could reach as high as $6 trillion by the year 2021. Whatever we are doing is not working very well.

If Not Technology Then What

I am not saying that attention to technology in cyber security is not needed. It most certainly is. But there is more to it this problem than just technology. This problem is much more complex and nuanced than just throwing the latest technology gadget at it. And if someone tries to tell you this you need to be careful. There is so much focus on technology and innovation we lose sight of the big picture. Cyber security is so much more. Focusing just on technology and innovation can actually be part of the problem itself.

We need to raise the general understanding of Cybersecurity to the level of the complexity that we are adding to our systems. This is hard work. It is not as easy as plugging in the latest widget. It takes commitment, training, testing, evaluation, and more training. Learning is a difficult process, but it is the only way we will get out of this spiral we are in right now. The IT security fallacy keeps us from this goal.

The constant search for that magic technology pill that is going to save us is not only ineffective, it is harmful. It takes our eye off of the ball. We lose sight of the goal. I have quoted Vince Lombardi before on this he said, “an obstacle is what you are looking at when you take your eye off the goal.” Don’t take your eye off the goal.

This is starting to get really serious and it is time we took it seriously also. The goal is a secure system, for everyone in our business, our supply chain, and our customers. This means everyone needs to be pulling in the same direction not just your technology.

1 thought on “The IT Security Fallacy

  1. Pingback: The Importance of Cybersecurity Training - Cyber Creed

Leave a Reply

Your email address will not be published.