Book review: Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us


Posted on

Fear, uncertainty, and doubt (FUD) manifest itself in many ways. It is often used in marketing to spread false information and fear to sell a product. Information technology, in general, and information security specifically, lends itself to significant FUD. This can occur when a company fears missing out on a technology trend due to a Gartner Magic Quadrant or is being sold a bill of goods from a hardware or software provider selling snake oil.

 

All this FUD can lead to industry myths that often take a life of their own. And dispelling these myths can be a significant endeavor for information security professionals. In Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us (Addison-Wesley), authors Drs. Eugene Spafford, Leigh Metcalf, and Josiah Dykstra have written a fascinating book to clarify myth from reality.

 

While the function of the book is to dispel the myths, it also serves as an excellent introduction to computer security. The authors bring significant experience to every chapter. Dr. Gene Spafford, better known as Spaf, a professor of computer science at Purdue University, is one of the most influential people in computer security. Metcalf is a Senior Network Security Research Analyst at Carnegie Mellon University, while Dykstra is a Senior Fellow at the National Security Agency.

 

The book will be like a walk down memory lane for those who have been in information security for a while. Lots of buzzwords and hype from the past are discussed and dispelled. For the information security newbie, it serves as an excellent introductory text.

 

For those interviewing information security staff at all levels, each of the myths and misconceptions written about can be used as launching questions during a technical interview. Discussing a myth and misconception is a great open-ended question that lends itself to a fruitful interview, where you can truly discern the candidate’s understanding of information security.

 

Here are three of the more interesting myths and misconceptions I found insightful:

 

Sharing more cyber threat intel will make things better – It is not about the volume of sharing; it is about better sharing, as threat intelligence takes many forms. Massive information dumps don't help anyone. But sharing specific knowledge to help a defender know which attacker behavior to look for, and the so what if it is discovered – that sharing is invaluable. 

 

Believe and fear every hacking demo you see – there is a misconception that every demonstration or academic finding will result in widespread use. 

 

For example, security researchers dropped a bombshell at Black Hat 2019 that the Boeing Dreamliner is susceptible to hacking. Only one-third of all CVEs are ever seen in live environments, and of those, only 5% have known exploits. 

 

As to dealing with CVEs, this is getting harder. Ben Edwards of the Cyentia Institute said at RSA Conference 2023 that vulnerabilities are significantly increasing, and it won't be much longer until there are over 1,000 CVEs issued weekly. 

 

There is a shortage of cybersecurity talent – there is a lot of FUD stating that there are millions of available information security jobs. According to some estimates, their numbers would indicate that 1% of the US population is needed to work in information security to ameliorate the shortage. 

 

Much of the so-called shortage is due to firms unwilling to pay market rates for information security professionals. Firms that pay market rates find the lack is not necessarily so terrible.

 

The authors use a variation of one of Spaf's analogies, that instead of worrying about how to produce more firefighters, perhaps we should put some effort into reducing the construction of buildings from gasoline-soaked balsa wood. Sage advice, indeed. 

 

Cybersecurity Myths and Misconceptions is a fascinating and engaging read. For the experienced professional, it will validate many things and have you laughing about some of the things from the past. For the not-so-experienced security professional, this will make you smarter and more valuable to your organization. It's a great read from some of the most intelligent people in the industry. 

 

The title may make readers think this is just Snopes in print debunking myths. But it is much more than that. It shows the reader, in explicit detail, what it takes to do this thing called information security. There's a lot of great information here, and I could end this review by saying that it's no myth, but I won't.

Professional Development & Personnel Management

threat intelligence data security risk management security jobs security education

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs