The Integrated Cyber team has done due diligence with many companies and we've found these are the two biggest mistakes we continually see organizations making.
1. "Technology Creates the Problem, Thus it MUST be the solution"
Most companies look to their IT department to prevent breaches and detect compromises by using an array of hardware, software, and appliances.
In reality, most of the problems are caused by human behavior – innocent mistakes like sending files to the wrong person, or sharing your password, or loaning your laptop; malicious actions like a fraud; and naïve response to social engineering attacks like impersonation and identity theft. IT departments mistakenly believe that they can block these behavioral characteristics by installing digital security products. Of course we humans are clever enough to circumvent many of these controls, especially if they get in the way of us doing our job. So while an audit of the technical architecture can make the IT team look really smart, the same audit of the actual workflows and processes can highlight lots of workarounds and security shortcuts. That’s why a number of companies have changed their governance model to have the Chief Information Security Officer report to the CFO or the COO, rather than to the CIO. Technology may have caused the problem, but technology alone will not solve it.
2. "Our goal is to achieve compliance"
This is the measure of success most used by the company executive committee because they lack a deeper understanding of the real risks. They simply want to be convinced that the company is meeting its statutory and regulatory needs so that they cannot be accused of neglecting their duty of care. It’s the same mindset as buying insurance just to make sure the financial results don’t suffer any nasty surprises. Compliance tends to consist of a checklist of mitigating actions, with the inference that if you can tick the box then you are secure. This is a dangerous “illusion of precision”, because mere compliance with an arbitrary set of regulations is totally different from security sufficiency, and many compliant companies have big gaps in coverage elsewhere and so fall woefully short of meeting a lot of common sense criteria.