I\u2019ve said it before and I\u2019ll keep on saying it: The greatest threat to cyber security is the cyber security industry itself and the \u201cgood enough\u201d mindset.\nEvery day there is a claim of a new product that will be the silver bullet to protect your organization against a breach, and every day a company spins up new \u201cCyber Security\u201d services division. They\u2019re hopping on the security bandwagon usually with little to no credentials.\u00a0\nThe security industry is a market of great need but has fallen into an opportunist industry ready to sell you anything you can imagine.\u00a0 Most people in general don\u2019t understand the complex world of cyber threats and are falling victim to what equates to a global scam of an industry.\u00a0\nHere are a few facts that will help you wade through misleading propaganda:\n1. There is no silver bullet and there never will be. Let\u2019s get this one out of the way right off the bat. There will never be a product that completely saves you from every cyber threat. Many products in this space do a very good job of detecting malware and other types of executables that shouldn\u2019t be running on your systems. While these products can and should be included as a layer in your overall security model, each typically only protects one area of cyber threats\u2014mainly publicly disclosed vulnerabilities. Real attackers steal legitimate credentials for your network and use them over time to gain other legitimate credentials. In short, the biggest threats come from attackers accessing your IT infrastructure as a legitimate user in your organization. If your organization has not addressed the fundamentals of network hygiene and regularly scheduled advanced penetration testing from a qualified team, there\u2019s no security appliance on the planet that will save you.\u00a0\u00a0\n2. Very few people are actually qualified to \u201ctest\u201d your system. I know I\u2019ll be speaking for all companies who invest in real talent with this one: The cyber skills gap is the largest skills gap that we face right now, so how can every business advisory firm be selling \u201cpenetration testing?\u201d It\u2019s shocking how many of our clients tell us that their last penetration test was done by their CPA, business advisor, or other partner.\u00a0 They are fooled by the fact that a representative of those firms has a Certified Ethical Hacker certificate. What they don\u2019t know is that cert can be obtained in about two weeks.\u00a0 Would you trust a doctor\u2019s diagnosis if you knew he had only attended two weeks of medical school? Many mistakenly assume that there is one level of hacking, and anyone who says they are certified must be qualified to protect your organization. In fact, this industry is much more like the different levels of baseball.\u00a0 You have every skill level from little league all the way up to the major leagues.\u00a0 To be frank, there are some real major league companies putting their trust in security talent operating at a junior high level; and there are some premier security companies that are very guilty of selling minor league talent at a major league rate.\u00a0\n3. Encryption does not always equal secure.\u00a0 There\u2019s a huge misconception around data encryption at rest and it usually goes unmentioned. If you\u2019ve invested in data at rest technology and you think you\u2019re safe, think again. Remember when I said attackers like to steal legitimate credentials, well the encryption at rest goes out the window once an attacker is posing as a legitimate user. More emphasis should be put on credential and access management, multifactor authentication, and visibility into the unique vulnerabilities that are specific to your environment. In many cases encryption at rest is a requirement, and must be implemented. Don\u2019t use it as a loophole. You are still responsible for understanding that implementing such technology is only a layer in a security program.\n4. Your move to the cloud does not protect you.\u00a0 I\u2019ve heard it a thousand times\u2026 \u201cWe moved to the cloud last year so all is well with our data security.\u201d\u00a0 While this model is definitely more secure than keeping your servers in the janitor\u2019s closet, there are still very real ways for attackers to get your data.\u00a0 Again, real hackers use valid credentials to move throughout your network.\u00a0 So, even in the cloud, they can access all the data you can access.\nNow here\u2019s the real truth: security is a never ending process. You need to beware of anyone selling you a magic potion.\u00a0 If you have questions about a company\u2019s expertise in this area, your concerns are likely justified.