Contrary to popular belief, it is impossible to be 100% secure when it comes to cyber security. As a business owner that may beg the question “what are we paying for?”

Believing that perfect security exists will inevitably lead to an expensive burst of a bubble that is seldom affordable by any. It is not a matter of “if” – it’s a matter of “when” a breach occurs. Once businesses start approaching their security with a post-breach mindset, the more the need for a wholistic strategy instead of prevention-only becomes clear.

The security team at Forrester busted a number of common myths surrounding the idea of “perfect security”, highlighting the importance of building and nurturing a culture of security in every business:


Myth #1: The best information security pros have never had a security incident

If security teams only hired people who had never worked for a firm that had suffered a security incident, most security specialists would no longer be employable. Breaches are opportunities to learn how to strengthen securities, for companies, practitioners, and the entirety of the industry. Using breaches to identify gaps in visibility, procedural errors, poor implementations, bad decisions, and incorrect or incomplete information all contribute to preventing or mitigating the next occurrence.


Myth #2: Perfect security exists

Some businesses may believe that zero-incident security is possible or that the perfect chief information security officer (CISO) is the one who never had an incident. Basically, if you want perfect security and zero risk, you have to disconnect from the internet and unplug every computer. Since that is not realistic, approaching security with a post-breach mindset with a proactive mindset, as opposed to a reactive ambulance-chasing approach, ensures your IT systems are valued as a productive asset and growth tool – not just a cost of doing business.


Myth #3: Security best practices are academic ideals that don't work

This is a big one. How many people sigh and roll their eyes at yet another IT training email that lands in their inboxes, probably using the words “phishing” or “scam”, etc.? But most experts will agree with us when we say that by not following basic, best security practices, you are leaving a giant window open to cyber-attacks. Sometimes these are honestly unintentional human actions. Employees clicking on suspicious links thinking they are safe, not thinking twice about where an email is from or what information the sender is asking for, etc – overall, not following a cyber security policy intended to protect them and the organization. Implementing best practices, that are reviewed and updated on a regular basis, will help keep your business secure from the inside out.


If you have not yet developed a cyber security policy, we shared 7 steps you can take to write one that your team will actually follow.