{"id":5375,"date":"2025-10-15T07:00:00","date_gmt":"2025-10-15T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5375"},"modified":"2025-10-15T07:00:00","modified_gmt":"2025-10-15T07:00:00","slug":"13-cybersecurity-myths-organizations-need-to-stop-believing","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5375","title":{"rendered":"13 cybersecurity myths organizations need to stop believing"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The past few years have seen a dramatic shift in how organizations protect themselves against attackers. The rise of AI and the fast-paced digitalization have changed the security landscape, making CISOs\u2019 jobs more complex than ever before.<\/p>\n

This rapidly changing environment demands a fresh mindset, one that challenges long-held assumptions about what keeps organizations secure. Is video and verbal authentication still reliable in an era of AI-generated deepfakes? Can we still use spreadsheets to manage digital certificates\u2019 expiration dates? And are quantum threats something to worry about now, or are they still just science fiction?<\/p>\n

Security experts weigh in on the myths that we finally need to retire.<\/p>\n

Humans will be replaced by AI in cybersecurity<\/h2>\n

Many CISOs and other executives have strong opinions about AI\u2019s role in cybersecurity and the ways it could change (or not) the industry. But while AI excels at processing data at high speed and spotting patterns across vast datasets, it lacks multiple qualities that humans bring to the table.<\/p>\n

\u201cIt\u2019s not humans or AI \u2013 it\u2019s both, working in partnership to eliminate the \u2018noise\u2019 and keep real threats out,\u201d says Joe Partlow, chief technology officer at ReliaQuest. \u201cEven the best agentic AI can\u2019t know the nuances of the business context that\u2019s required to respond effectively to cyber-attacks.\u201d<\/p>\n

By automating repetitive tasks, AI allows human analysts to spend more time on strategic decisions and tailored responses. \u201cHumans working collaboratively with agentic AI teammates is the only way security teams are going to stay ahead of continuously evolving threats,\u201d says Partlow.<\/p>\n

Big tech platforms have strong verification that prevents impersonation<\/h2>\n

Some of the largest tech platforms like to talk about their strong identity checks as a way to stop impersonation. But looking good on paper is one thing, and holding up to the promise in the real world is another.<\/p>\n

\u201cThe truth is that even advanced verification processes can be easily bypassed,\u201d says Ben Colman, CEO of Reality Defender.<\/p>\n

When OpenAI launched Sora 2, its new text-to-video platform, Colman and his colleagues managed to create deepfakes of CEOs and celebrities that passed Sora\u2019s multi-step \u201cCameo\u201d verification. And they did it in under 24 hours.<\/p>\n

\u201cDespite live video and verbal authentication steps, the platform\u2019s safeguards failed to detect the impersonations, proving that current verification tools are not yet equipped to handle AI-generated manipulation,\u201d Colman adds.<\/p>\n

The bottom line? Trusting verification alone isn\u2019t enough anymore. Organizations need layered, adaptive defenses that assume bad actors will try to break through.<\/p>\n

Your investments in identity providers protect you from the latest attacks<\/h2>\n

While identity solutions<\/a> and SASE (secure access service edge) platforms can help, they are not perfect. Organizations remain just as vulnerable to phishing, credential theft, and other basic attack techniques that adversaries continue to use.<\/p>\n

\u201cIf you\u2019re spending millions on identity and SASE projects but still experiencing major incidents, the problem is not that these technologies don\u2019t work. The problem is that your security approach hasn\u2019t evolved to match modern attacker behaviors,\u201d says Brian Soby, CTO and co-founder of AppOmni.<\/p>\n

Soby argues that most corporate security strategies today resemble aviation\u2019s \u201cbig sky theory\u201d of collision avoidance, which means that they\u2019re betting on low odds of being targeted, because the number of potential victims is immense.<\/p>\n

This theory, however, no longer holds, says Soby. These days, the skies are actually crowded, so there\u2019s a good chance that collisions might occur. \u201cAsk yourself: Would we have been vulnerable to the latest campaigns? If the answer is yes, it\u2019s time to face the hard truth: your defenses rely more on luck than security,\u201d Soby says.<\/p>\n

Buying more tools can bolster cybersecurity protection<\/h2>\n

One of the biggest traps businesses fall into is the assumption that they need more tools and platforms to protect themselves. And once they have those tools, they think they are safe.<\/p>\n

Organizations are lured into buying products \u201ctouted as the silver-bullet solution,\u201d says Ian McShane, Arctic Wolf\u2019s field CTO. \u201cThis definitely isn\u2019t the key to success.\u201d<\/p>\n

Buying more tools doesn\u2019t necessarily improve security because they often don\u2019t have a tools problem but an operational one. \u201cBy prioritizing and embracing security operations where they can make the best of their existing investments instead of endless cycling through new vendors and new products, they will go a long way toward addressing the rapidly evolving threat landscape in a way that meets the unique needs of their business,\u201d says McShane.<\/p>\n

Hiring more people will solve the cybersecurity problem<\/h2>\n

Professionals who are truly talented and dedicated to security are not that easy to find. So instead of searching for people to hire, businesses should prioritize retaining their cybersecurity professionals<\/a>. They should invest in them and offer them the chance to gain new skills.<\/p>\n

\u201cIt is better to have a smaller group of highly trained IT professionals to keep an organization safe from cyber threats and attacks, rather than a disparate larger group that isn\u2019t equipped with the right skills,\u201d says McShane. \u201cWhile hiring new team members can be beneficial, the time and money spent by a business on hiring new employees can be used more effectively to bolster their security infrastructure.\u201d<\/p>\n

If we solve for the latest attack, we\u2019ll be safe<\/h2>\n

Many companies fall into the trap of chasing the last breach, channelling their defenses on known threats while neglecting broader, proactive strategies. \u201cOnly focusing on what has happened is a good way to be hit by what\u2019s next,\u201d says Ian Bramson, VP of global industrial cybersecurity at Black and Veatch.<\/p>\n

This issue has become even more evident with the rise of AI. \u201cAs companies become more digital and automated, cybersecurity becomes more central to strategic growth,\u201d Bramson adds. \u201cFor example, an all-source monitoring approach can help you spot patterns and identify shifting threats that haven\u2019t even reached your operational technology (OT) environment.\u201d<\/p>\n

A robust monitoring program can give organizations a clearer view of their risk landscape. \u201cThis allows you to prepare and take actions before they become a real incident or attack,\u201d Bramson says.<\/p>\n

You can cover all the gaps if you perform enough testing and analysis<\/h2>\n

While thorough testing and analysis can help identify and address many security gaps, no system can ever be completely secure. \u201cTechniques and threat actors are evolving constantly, so it\u2019s certainly best to cover all the bases and prevent entry in the first place, but assume a cyber-attack will happen,\u201d says Katy Winterborn, director of internal security at NCC Group.<\/p>\n

CISOs and their organizations need to think in terms of when<\/em>, not if<\/em>, and adopt a mindset that balances prevention with preparedness. \u201cCreate defense in depth, exercise incident response<\/a>, and check that you can recover from backups,\u201d Winterborn says. \u201cMake sure you\u2019ve had conversations at the right level and set expectations about what could happen in the worst case.\u201d<\/p>\n

Above all, Winterborn adds, remember that no defense is bulletproof.<\/p>\n

Change your password regularly and use MFA<\/h2>\n

You\u2019ve probably heard it a hundred times: change your password often. But according to the latest NIST guidance<\/a>, that\u2019s not really necessary \u2014 unless there\u2019s a sign the password has been compromised. In that case, they should be updated.<\/p>\n

Otherwise, if the password is already strong \u2014 at least 15 characters long \u2014 forcing routine changes can actually make things worse. That\u2019s because most users tend to make only small, predictable tweaks to their existing passwords, which makes them easier to guess and less secure in the long run.<\/p>\n

\u201cPeople will follow patterns to remember the passwords,\u201d says Tim Rawlins, senior adviser and director, security at NCC Group. \u201cSummer2025! becomes Winter2025! unless blocked.\u201d<\/p>\n

Instead, experts recommend using a password manager to generate and store unique passwords for every account and. \u201cUse one password per service and just change it in case the platform gets hacked,\u201d says Kolja Weber, CEO FlokiNET.<\/p>\n

And yes, enable multi-factor authentication (MFA) wherever possible to be more secure, but keep in mind that MFA can be bypassed<\/a>. \u201cIf you want an extra layer, use passkeys,\u201d Weber adds.<\/p>\n

You can manage all digital certificates deployed across your enterprise network manually with a spreadsheet<\/h2>\n

Companies have thousands of digital certificates<\/a> running at any given time, and trying to track all of them manually is a recipe for disaster. Just one expired certificate can cause cascading failures such as outages of critical systems.<\/p>\n

\u201cThe idea that you can manage digital certificates manually is more outdated than ever,\u201d says Jason Soroko, senior fellow at Sectigo.<\/p>\n

The public key infrastructure industry has recently undergone massive changes, and the certificate lifespan will continue to decrease in the years to come.<\/p>\n

\u201cStarting in March 2026, public SSL\/TLS certificate lifespans will begin a phased reduction to just 47 days by 2029, making manual tracking virtually impossible,\u201d Soroko adds.<\/p>\n

Compliance equals security<\/h2>\n

As the US Marine Corps likes to say, being inspection-ready is one thing, but being combat-ready is another. \u201cMany companies focus too much on meeting compliance requirements and not enough about being truly secure,\u201d says Bramson.<\/p>\n

Many companies have aggressively invested in their digitalization and modernization efforts, which have expanded the attack surface and vulnerabilities. According to Bramson, \u201cregulations can\u2019t keep up with the speed of innovation.\u201d<\/p>\n

In this context, companies need to aim for security, not just compliance, because checking all the compliance boxes is merely meeting the minimum standards, which is clearly not enough. \u201cIt takes a much more comprehensive and individualized program to reach an advanced state of cyber maturity,\u201d Bramson says.<\/p>\n

Quantum computing and the threats it poses are still decades away<\/h2>\n

Criminal groups and nation-state actors are actively collecting encrypted data today, banking on future quantum breakthroughs to crack it wide open. This \u201charvest now, decrypt later\u201d (HNDL) tactic means national security intel, financial records, and other sensitive information could be compromised retroactively.<\/p>\n

\u201cQuantum threats are already in motion, and they aren\u2019t waiting for Q-day,\u201d says Soroko. \u201cEven if your data seems secure now, it may be fully exposed the moment quantum computing reaches critical thresholds. The risk is silent, invisible, and growing fast.\u201d<\/p>\n

In fact, NIST has already published<\/a> a set of encryption tools designed to resist attacks from quantum computers and has urged system administrators to start transitioning to these new standards \u201cas soon as possible.\u201d<\/p>\n

Some tech providers are aware of the risks and are moving quickly, but most enterprises, especially those with legacy systems, will require time, planning, and new capabilities to make the switch.<\/p>\n

\u201cTo begin the journey toward quantum resistance, start small but start now,\u201d Soroko says. \u201cAutomating things like digital certificate renewals is a low-hanging fruit that builds momentum and prepares your IT infrastructure for bigger shifts like quantum-safe encryption.\u201d<\/p>\n

We must allow law enforcement to break end-to-end encryption to keep us safe<\/h2>\n

Some governments around the world are looking to pass legislation that would allow law enforcement institutions to intercept, store, and even decrypt instant messages exchanged through applications such as WhatsApp, Telegram and Signal.<\/p>\n

Some of these proposals mandate client-side scanning on citizens\u2019 devices, \u201ceffectively breaking the promise of end-to-end encryption,\u201d says Sabina-Alexandra Stefanescu, an independent security researcher. \u201cThe pushback against such laws from the civic society and security experts alike stands on firm principles: every individual has an inalienable right to privacy,\u201d she adds.<\/p>\n

In countries where journalists or human rights activists can face consequences, encrypted messaging and file storage \u201care the last bastions at their disposal in order to conduct their investigations,\u201d according to Stefanescu.<\/p>\n

The independent researcher argues that allowing law enforcement to decrypt messages \u201ccan make every person vulnerable and every device less secure.\u201d<\/p>\n

Deregulating generative AI is necessary to drive innovation<\/h2>\n

While some believe that loosening regulations around generative AI would unleash a new wave of innovation, others argue that the opposite is true: we need stronger safeguards in place.<\/p>\n

Stefanescu points to the AI Incident Tracker<\/a>, an MIT-led initiative that documents real-world harms caused by AI systems. The data gathered by the researchers show a steady rise in concerning cases over the past few years, with the most significant surge linked to the spread of misinformation and the actions of malicious actors.<\/p>\n

\u201cWe chose to believe a mythical image of GenAI as a technology that is sure to evolve into a state that can do no harm, even while all evidence points to the contrary,\u201d Stefanescu adds.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The past few years have seen a dramatic shift in how organizations protect themselves against attackers. The rise of AI and the fast-paced digitalization have changed the security landscape, making CISOs\u2019 jobs more complex than ever before. This rapidly changing environment demands a fresh mindset, one that challenges long-held assumptions about what keeps organizations secure. […]<\/p>\n","protected":false},"author":0,"featured_media":5376,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5375","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5375"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5375"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5375\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5376"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}