The sales and marketing of security rely heavily on the fear, uncertainty and doubt (FUD) principle, says Charl Van der Walt, founder and director of SensePost Information Security.
He says security is filled with self-proclaimed witch-doctors, soothsayers and doomsday prophets, many of whom are just serving their own purposes. Security is still far too complicated and difficult to understand, creating a ripe breeding-ground for rumours, exaggerations and untruths.
"There's no simple answer on how to separate fact from fiction among all this noise within security, but there are principles one can apply when evaluating both threats and solutions," says Van der Walt.
The first of these principles is organisations must believe there are people out there - with the programs, the means and the motive - who will breach a company's systems if they get a chance, he says.
"But at the same time your own users are probably your greatest threat, not because they're bad, but because they're stupid."
Van der Walt says when evaluating solutions, companies must remember that security is equal parts people, process and technology. "Any solution that's not balanced like this is probably not a solution."
Van der Walt adds that understanding compliance should also be used as an evaluation principle. "Compliance with a standard or a regulation does not make you secure, it makes you compliant."
Van der Walt and Haroon Meer, technical director at SensePost, will cover these issues at the ITWeb Security Summit in Midrand in May. They will also highlight the most common security myths that most companies buy into.
Related stories:
How much is enough?
The trade-off of security
Privacy essential for corporate governance
Share