10 Information Security Mistakes: A False Sense of Security

Technologies and processes often provide organizations with a false sense of security. The company goes through the motions of deploying a security tool or following an oversight procedure, but the benefit to the security posture might be negligible. Here’s my list of 10 information security mistakes that lead to this situation:

  • The organization captures event logs, but the auditing level lacks the details needed to identify security incidents or investigate intrusions.
  • The organization has an information security policy that no one actually follows.
  • The organization performs vulnerability scans, but does not have a consistent process for addressing the discovered security issues.
  • The organization conducts a penetration test without including employees' workstations in the project's scope.
  • The organization tightly controls traffic from the Internet without restricting and monitoring outbound network activities.
  • The organization relies solely on anti-virus software to address malware threats.
  • The organization encrypts password stored in the database, but uses a weak encryption algorithm.
  • The organization deploys a data security tool without customizing and tuning its configuration.
  • The organization hires an information security officer without empowering the person to critique IT decisions or to affect change.
  • The organization assumes its data is secure because it recently passed a compliance audit.

It's unfortunate when organizations implement controls that provide a false sense of security. Sometimes they do this because they don't know better. Sometimes they do this and try to pretend that they don't know better.

For more thoughts on where an infosec program can go wrong, see my cheat sheet How to Suck at Information Security.


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more