National Cybersecurity Awareness month is upon us. And, so is the opportunity to look at what common C-suite misconceptions could be handcuffing security awareness efforts. 

As we enter the back half of 2020, now is the time to look at myths and highlight their relevancy in this chaotic year. Which myths are in the modern threat landscape? And, have any been proven true?

Let’s take a look at six possible cybersecurity myths and what you can do to prevent them. 

Bringing Cybersecurity Awareness to the C-Suite

First, it’s critical to reiterate that we need to be thinking about the whole enterprise when discussing cybersecurity awareness. The focus of cybersecurity awareness is often on frontline employees. That segment of the corporate hierarchy is crucial. But without buy-in from the top of the hierarchy, any awareness efforts are at risk of being stonewalled.

Despite all the progress we’ve made at the C-suite level, common myths about the world of cybersecurity awareness still exist. In today’s new normal, priorities have changed and security has undoubtedly made a shift to top-of-mind for many executives. But with so much to think about amidst all the changes we’ve witnessed in the last six months, balancing security with productivity is increasingly difficult.  

As a former security analyst for private and public sectors, I’ve had experience as a middle person of sorts between the IT department and C-suite. Far too often, the disconnect over cybersecurity awareness-related decisions was palpable. Between my hands-on experience and years speaking with many CEOs and IT decision makers, I’ve concluded there’s a direct correlation between an organization’s security posture and the level of buy-in from executives.

Still, myths exist.

Myth 1: IT is More Affordable In House

More IT executives seem to be on board with the many cloud and security-as-a-service (SaaS) options available to shift the cybersecurity awareness burden away from the IT department. SaaS is still growing, and many companies are leveraging the expertise from a managed security services provider.    

Despite the potential cost savings, cloud adoption has its challenges. Flexera’s Rightscale 2019 State of the Cloud Report, which surveyed 786 technology professionals from various enterprise sizes and industries, states the top priority in 2019 was cloud cost optimization.

Optimizing costs in 2020 is going to be even more crucial. 

Myth 2: Updates Are Under Control

Unfortunately, this myth is common in 2020. It can haunt your organization, because complacency and security don’t go well together. If the C-suite is under the false impression that everything is under control, the potential for an attack can skyrocket. 

There are more endpoints connecting to corporate networks than ever before, especially in today’s work-from-home era. Making sure all those desktops, laptops, smartphones, tablets, firewalls, appliances, routers, servers and new Internet of Things (IoT) devices are patched and up-to-date is a massive undertaking. 

Patch management should not and cannot be overlooked by any IT decision maker. Testing is also key. Without proper assessments and penetration tests, how do you know if your endpoints and networks are secure? Self-evaluations will tell you, and give you the knowledge to fix it.

Myth 3: Cybersecurity Awareness Programs are Good Enough

The complacency theme continues. Even though most in the C-suite can agree that cybersecurity awareness is important, I’m still hearing and reading far too many examples of organizations that conduct training perhaps once per year and call it a day. In some cases, no training is offered at all. 

I’m not suggesting all companies aim for monthly cybersecurity awareness training (though it certainly wouldn’t hurt), but quarterly should be the minimum. If your employees — including the C-suite — are not invested in protecting your network and resources, it probably won’t matter how much you spend on security hardware and software.

Myth 4: Threat Actors Can’t Be Stopped 

The mindset behind this logic has changed in the past few years. Instead of surmising that threat actors cannot be thwarted, the myth has morphed into the unfounded theory that ‘no one would be interested in hacking our company.’

When we read about data breaches, most victims named are big companies. It’s easy to be lulled into a false sense of ease thinking that your company is too small to be targeted. The fact is, almost half of the reported data breaches happened at small- and medium-sized businesses (SMBs). According to Verizon’s Data Breach Investigation Report, 43% of all data breaches target SMBs.

The proverbial target on your back is no smaller or less red than a large corporation’s. The home robbery analogy is fitting: in a neighborhood full of houses with no lights on, the house with lights shining is less likely to get robbed.

Myth 5: If We’re Compliant, We’re Done With Cybersecurity Awareness

Here’s a myth that is as relevant today as it was in previous years. I recently had a chat with a virtual chief information security officer about the false assumption that somehow compliance is equivalent to cybersecurity awareness. For some organizations, this line of thinking still exists. 

Yes, meeting or exceeding government or industry regulations is a must, he says. But when it comes to your cybersecurity awareness posture, compliance is just a starting point.

Myth 6: We Have BYOD Totally Under Control

Bring-your-own-device (BYOD) policies are more popular than ever, and some may argue that it’s the norm. But even armed with a robust mobile device management solution, the sheer number of potential devices, including IoT, that can appear on your network may become overwhelming. Each insecure device represents another hole in your cybersecurity wall. 

To confidently get BYOD under control, look for a capable unified endpoint management solution and ensure employees are aware of the policies, risks and ramifications for bringing their own devices. 

If your C-suite believes any or all of these myths, your security awareness program can suffer. Security awareness should be about much more than preventing phishing attacks. On the other hand, if everyone across the enterprise has the right mindset about each topic, the chances of a successful security awareness program skyrocket. 


The opinions expressed in this publication are those of the author. They do not purport to reflect the opinions or views of IBM or its members.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today