Changing Courses: Security is Too Often Based on Assumptions

Image: Pixabay

Assumptions waste time, money, and resources, according to one CISO. “And they have the added disadvantage of not even effectively mitigating risk,” he writes.


By Brian Contos, CISO

The Verodin team and I have spent many quarters traveling all across the US and abroad. When we’ve been out there giving talks, we’ve also been collecting security statistics from hundreds of audience members via real-time polling software.

The results of these polls have created an interesting cross-section of perspectives. My audiences generally include red and blue security teams, auditors, security executives and individuals representing various non-technical, non-security leadership roles across government organizations, financial services, transportation, telecom, retail, healthcare and oil & gas, just to name a few.

For this blog, let’s take a look at the polling question: How much of your security is based on assumptions instead of evidence?

Not unsurprisingly, a whopping 97 percent of the poll responders said that at least some of their security is based on assumptions. 81 percent expressed that at least half of their security was based on assumptions and 10 percent claimed that all of their security was based on assumptions.

Continue reading the blog post on

Read about security verification as part of a federal cybersecurity mitigation program:

DHS Adds Cybersecurity Verification Platform

About the author


EfficientGov Staff

EfficientGov is an independent information service providing innovative solutions to fiscal and operational challenges facing cities and towns around the world.