Changing Courses: Security is Too Often Based on Assumptions
Assumptions waste time, money, and resources, according to one CISO. "And they have the added disadvantage of not even effectively mitigating risk," he writes.
By Brian Contos, CISO
The Verodin team and I have spent many quarters traveling all across the US and abroad. When we’ve been out there giving talks, we’ve also been collecting security statistics from hundreds of audience members via real-time polling software.
The results of these polls have created an interesting cross-section of perspectives. My audiences generally include red and blue security teams, auditors, security executives and individuals representing various non-technical, non-security leadership roles across government organizations, financial services, transportation, telecom, retail, healthcare and oil & gas, just to name a few.
For this blog, let’s take a look at the polling question: How much of your security is based on assumptions instead of evidence?
Not unsurprisingly, a whopping 97 percent of the poll responders said that at least some of their security is based on assumptions. 81 percent expressed that at least half of their security was based on assumptions and 10 percent claimed that all of their security was based on assumptions.