Conversations about security and compliance often miss the importance of perception. Perception is a crucial factor because it drives trust. You may have the best security programs in place, but if you fail to manage perceptions properly, you lose the confidence of your stakeholders.

Mark Nunnikhoven, Security Principal at AWS, got together with Jeremy Huval, Chief Innovation Officer at HITRUST, and Robert Booker, Chief Strategy Officer at HITRUST, to discuss Trust vs. Perception. Check out the full podcast episode here.

Here are some key points from that conversation.

Security myths and assumptions

Cybersecurity is a complex domain. Customers and businesses tend to believe several common security myths or make certain assumptions.

All our employees are required to set strong passwords, so we’re good.

We’ve seen the basic password standards — a mix of uppercase and lowercase letters, a numeric digit, a symbol, and a length of more than eight characters. Different user interfaces (UIs) show whether the password strength is weak or strong. However, security experts know it takes more to create a strong user password. And strong passwords don’t mean robust security measures. It means your employees no longer use their dog’s name for every password.

We’re smart enough to detect phishing emails.

Sure, some phishing emails are easy to spot. But bad actors also continue to evolve their tactics. Can you count on every member of your Accounts Payable team not to react to an after-hours text that looks like it’s from the CEO? How often do you educate your employees on how to spot a phishing attempt? Do you occasionally test them with one of the commercially available tools? At a minimum, do your employees know when not to click on external links if they’re unsure?

We’ve never experienced a breach, so our security is strong.

You haven’t? Are you sure about that? According to a report by Blumira and IBM, it can take companies an average of 287 days to realize they’ve been breached. And if your organization has never experienced a breach, it could be because you are lucky to be out of a bad actor’s radar. Organizations should update their controls regularly and ensure their security practices remain relevant and adaptive to emerging threats.

Importance of compliance

Compliance is a community coming together to set a minimum bar for handling a specific data type. For example, major players set the standards for processing payment card information as Payment Card Industry (PCI) Compliance.

Compliance fills the gap left by security by keeping our work in check. We roll out controls and often fail to check whether those controls work. Compliance ensures that organizations check the right boxes and that their controls perform as expected. As the threat industry and security environment keep changing, compliance helps to keep the controls relevant and effective.

Security theater

Maybe you feel more confident when you see a TSA agent pull a bag off the conveyor belt to poke through its contents or when your employer requires you to change your password every 60 days. Those measures might help, but they could also create a false sense of security that you’re safe just because you see someone doing something about security.

Decades ago in the US, someone tried to smuggle an explosive substance in their shoes. Since then, millions of travelers have been required to take off their shoes at airport security screening. Does this make us safer? Or is it “security theater”? Security theater makes us feel like we’re doing something, which may cause us to let down our collective guard and miss important opportunities to be more vigilant.

Another example of security theater could be third-party cybersecurity questionnaires. Do these questionnaires add security value? The answer is not always. Questionnaires may be valuable only if the answers are supported by evidence and if someone on the receiving end has the resources and expertise to analyze them critically and provide actionable feedback.

Takeaway

Security is everyone’s responsibility. The user is responsible for being vigilant and not being the weakest link. Security professionals are responsible for creating and implementing robust security programs that anticipate and guard against whatever threats may be coming next. Security teams need to ensure people know what to do to keep themselves and their organizations safe and that they have easy access to tools.

Perception in security and compliance is not about offering organizations additional benefits when they look at their controls through a new perspective. It’s about making them understand why they should take specific actions and how to perform them correctly.

For a deeper dive into Trust vs. Perception, listen to the full podcast episode.