Monthly Archives: September 2018

Separating the truths from the myths in cybersecurity

Larry Ponemon


Ponemon Institute, with sponsorship from BMC, conducted the study on Separating the Truths from the Myths in Cybersecurity to better understand the security myths that can be barriers to a more effective IT security function and to determine the truths that should be considered important for the overall security posture. In the context of this survey, cybersecurity truths are based on the actual experience of participants in this research. In contrast, cybersecurity myths are based on their perceptions, beliefs and gut feel.

More than 1,300 IT and IT security professionals in North America (NA), United Kingdom (UK) and EMEA who have various roles in IT operations and security were surveyed. All respondents are knowledgeable about their organizations’ IT security strategies.

Separating the truths from the myths in cybersecurity

Following are statements about cybersecurity technologies, personnel and governance practices. Participants in this research were asked if these statements are considered truthful or if they are based solely on conjecture or gut feel (i.e. myth). Specifically, respondents rated each statement on a five-point scale from -2 = absolute myth, -1 = mostly myth, 0 = can’t be determined, +1 = mostly truth and + 2 = absolute truth. The number shown next to each statement represents the average index value compiled from all responses in this study. As can be seen, all myths and truths are not equal and range from -1.04 to +0.78.

Drawing upon nonparametric statistical methods, we separated those statements that had a statistically significant positive value that was above 0 (i.e. truth) from those statements that had a statistically significant negative value at or below 0 (i.e. myth).

Truth – The test statistic confirms the following statements are mostly believed to be a fact


  1. There is a skills gap in the IT security field. +0.78
  2. Security patches can cause greater risk of instability than the risk of a data breach +0.52
  3. The cloud is cost effective because it is easier and faster to deploy new software and applications than on-premises +0.52
  4. Greater visibility into al applications, data and devices and how they are connected lowers and organization’s security risk. +0.45
  5. Malicious or criminal attacks are the root cause of most data breaches. +0.42
  6. A strong security posture enables companies to innovate and take risks that can lead to greater profitability. +0.33
  7. IT security and IT operations work closely to make sure resolution and remediation of security problems are completed successfully. +0.22
  8. Many organizations are suffering from investments in disjointed, non-integrated security products that increase cost and complexity. +0.09


Myth – test statistic confirms the following statements are mostly a myth


  1. Too much security diminishes productivity. -1.04
  2. A strong security posture does not affect consumer trust. (In other words, a strong security posture is considered beneficial to improving consumers’ trust in the organization.) -0.87
  3. Automation is going to reduce the need for IT security expertise. -0.55
  4. Artificial intelligence and machine learning will reduce the need for IT security expertise. -0.50
  5. It is difficult or impossible to allocate the time and resources to patching vulnerabilities because it leads to costly business disruptions and downtime. -0.41
  6. Insider threats are costlier to detect and contain than external attacks. -0.27
  7. Nation state attacks are mainly a threat for government organizations. -0.24
  8. Security intelligence tools provide too much information to be effective in investigating threats. -0.21

Discussion — the state of cybersecurity 

Senior management believes in the importance of the IT security function. Sixty-one percent of respondents say their senior management does not think IT security is strictly a tactical activity that reduces its importance in the eyes of senior management. Respondents concur that IT security in their organization is considered a strategic imperative.

Companies face a shortage of skilled and competent in-house staff. According to another Ponemon Institute study[1] , 70 percent of chief information security officers and other IT security professionals surveyed say a lack of competent in-house staff is what they worry about most when trying to defend their companies against cyberattacks. Further, 65 percent of these respondents say the top reason they are likely to have a data breach is because they have inadequate in-house expertise.

Are tensions between the IT and IT security function diminishing the security of organizations? Fifty-six percent of respondents agree that there is tension between IT security and IT operations because of a lack of alignment of their different priorities. Specifically, IT operations is more concerned with the organization’s business objectives and IT security is focused on securing the enterprise from cybersecurity threats.

However, many respondents believe that despite this tension, IT security and IT operations work closely to make sure resolution and remediation of security problems are completed successfully. Collaboration between these two groups can be improved through the use of tools that bring these two functions closer together and foster teamwork which will benefit the organization as a whole.

Investments in security technologies should be aligned with the overall IT strategy and not lead to complexity. While the priorities of IT security and IT operations are often not in alignment, investments in technologies are consistent with their organizations’ overall IT strategy, according to 60 percent of respondents. However, respondents believe many organizations are suffering from investments in disjointed, non-integrated security products that increase cost and complexity.

Technology investments are often motivated by well-publicized data breaches.  Fifty percent of respondents say data breaches that are widely reported in media can influence the decisions to purchase security technologies. While companies may purchase cyber insurance to manage the financial consequences of a data breach, only 34 percent of respondents say such a policy would reduce their investments in security technologies.


Mark Zuckerberg is the world’s front-page editor now. That’s the real problem

Bob Sullivan

Mark Zuckerberg never set out to be the world’s editor in chief, but here we are.  And sorry Mark, you are a terrible front page editor.

Hearings in Congress today dug into the weeds of why Americans feel like social media is letting them down — it was a ready-made tool for Russian election interference; it’s now silencing some voices based on vague criteria, and so on.  But these aren’t aren’t THE problem. They are just symptoms.

Two thirds of Americans get their news from social media today. Most from their Facebook wall. That’s s a very, very small window through which to see the world.  Worse yet, most of them don’t know how social media really works.  Pew just released a study showing a majority have no idea how stories are selected for Facebook’s news feed. And don’t believe they have any influence over what appears there.

That’s THE problem.

Fairly recently, a consumer reading a newspaper who didn’t like what was on the front page could do something simple, but now seems revolutionary — she could turn the page.  Over and over.  And within 10 minutes or so, she’d be exposed to hundreds of stories, neatly organized in sections.  If she were really smart, she might do this with three or four papers. More to the point, she had a pretty good understanding of why those headlines and those stories appeared in those sections.

Today, we scroll.  A supercomputer designed to hack our attention span optimizes that “front page” for “engagement,” with the goal of hypnotizing you into sticking around. There’s no sections, no priorities. Only click-bait.  And whatever Facebook has decided is important to the hypnotics that month (Live video! Puppies!) If a good story doesn’t click with the first few folks who see it, it’s dismissed into the long tail of Internet oblivion, destined to be a tree that’s fallen silently in an empty forest. This story, I’d think, will be a good candidate for that scrap heap.

I don’t begrudge that (ok, of course I do. Facebook’s algorithm changes have killed my website in recent months).  But I found this piece of Pew’s most recent survey the most troubling: Facebook offers token tools for adjusting what’s on users’ front pagea, but even these are rarely used. Fully two-thirds of users have never even tried to influence the content on their news feed. Of course, the older users get, the less likely they’ve taken an active step to change their feed, such unfollowing groups or asking that certain friends be prioritized. (Please choose “see more” of me.)

In other words, news consumption in America is dangerously passive.  And Mark Z is the most powerful front page editor in history.

This is not what Facebook set out to do; I genuinely think many at the company are horrified by this state of affairs.  I am one who believes it is an existential threat to the company — it’s very far from the Mark’s core expertise. And users will eventually revolt. In a separate Pew survey, researchers found that 42% of users had taken some kind of Facebook break recently. And 26% said they had deleted the app from their phone. Those numbers seem awfully high to me, but you get the point.  People sort of hate Facebook now for what it’s done to their lives.  That’s not a great business model.

And it’s getting worse. As Facebook works frantically to save itself, and to diffuse the bomb it’s been turned into, news feed is often shrunken. Puppy photos are back on top; interesting news stories (like this one!) are out.  Users see an even smaller selection of “follows” when they look.  You might have 500 friends, but only 25 of them appear in your feed, urban legends and empirical evidence tells us.

Why are we really here? Since the beginning of time, Facebook has refused to offer an unfiltered option that would simply list every post from every friend.  When a software maker invented a third-party app to make such a raw feed, Facebook forced it to shut down. Users would be overwhelmed by so many posts, the firm believes.  News feed must be edited.  And so, here we are.

Yes, in some ways, we did this to ourselves.  Nothing stops Americans from visiting on their own, instead of relying on the news feed (or Google News) for their headlines. Heaven forbid, we could actually subscribe to a newspaper, too.  But, as I began this piece, here we are.  The world’s most efficient tool for connecting human beings, one of the Internet’s original killer app, has killed our curiosity.  We’re devolving into digital-made tribes, only listening to the 25 or so people who make the front page of our lives.

As the saying goes, you made this mess, Mark. You have to clean it up.