Many of the myths that keep organizations from making meaningful improvements to their security posture stem from a misunderstanding of how modern attackers operate, and how seemingly minor misconfigurations can add up to major business risk.

In this article, we’ll talk to an expert on both our red and blue teams about the most common myths and misconceptions they hear, and debunk them so you can build more resilient defenses.

Red Team Perspective: Daniel Parker, VP of Ethical Hacking

"Our exterior is solid, so we don’t need to focus as much on internal visibility."

“We actually still hear this one quite a bit. Organizations feel that their external network is fairly locked down, so they don’t need to worry as much about internal visibility. But without that visibility, it’s not uncommon for organizations to have an incident and be none the wiser. One phished employee or compromised vendor and an attacker is inside the "trusted" zone with little stopping them. Flat networks, weak internal auth and overprivileged accounts mean domain compromise can happen in hours. Segmentation, least-privilege and internal detection coverage turn a soft interior into a real layer of defense. Limit the blast radius for when, not if, something gets in.”

"Automated scans = pentesting."

“I don’t see this one a lot with our long-time customers because they're used to getting full-scope pentests where we’re replicating what real threat actors are doing. But in general, a lot of people think that penetration tests are just installing agents in your environment and running a bunch of scans. Scanners find what they're programmed to find. They won't catch a broken access control model, a chained exploit or a business logic flaw that lets User A pull User B's data. A clean scan report doesn't mean you're clean. Use both for what they're actually good at: scanners for continuous known-vulnerability coverage, human-led testing for everything that requires actually thinking like an attacker.”

"We tested it once, so we're covered."

“Between new deployments, configuration drift and dependency updates, the attack surface shifts constantly. Pentests are a point-in-time snapshot, and attackers don't wait for your next annual assessment. We also see more auditors and compliance folks asking ‘what are you doing throughout the rest of the year?’ between annual tests. Our NWG Resilience customers have an answer to this question because we do monthly testing and validation for them. Based on how quickly the technology and threat landscape can change, you need to have an ongoing awareness of what you know and what you don’t know. Higher-frequency testing and continuous validation can catch drift before it becomes an incident.”  

Blue Team Perspective: Scott Smith, VP of Security Architecture

“Compliance = security.”

“Compliance can help provide a framework for better security, but it in itself does not equal security. I think the reason why people believe this myth is that compliance assessments give them a report or audit to latch on to that tells them how they’re doing. But in reality, any compliance framework is at best the baseline level of where you need to be. A report from an audit is a point-in-time reference that's not necessarily relevant six months later. So I think the biggest takeaway there is to understand that just because you meet compliance requirements, that doesn't mean that you can ignore overall risk management. Risk management and compliance are related, but they’re definitely not the same thing. Make sure they’re separate topics for your organization to address.”

“Bigger budget = better security.”

“A larger budget does not guarantee that an organization has the right processes and management in place. What I see is that a lot of organizations, especially large organizations, will spend more on tooling and technology, but in doing so, they create complexity without effectively reducing risk. For instance, they'll have two or three different tools and services that do the same thing, and none of them do it well because none of them are effectively managed: They don't really have a process or program to understand what each tool does and where it fits in their broader security program.

“Regardless of your budget size, you have to have an understanding of what the biggest security risks are for your company, and prioritize your spend based around your core business functions, your critical systems and assets, and the data you need to protect.” 

“We have an incident response plan, so we’re prepared.”

“Policies, procedures and plans should all be evaluated and updated on a regular basis. Otherwise, they're just words that your org won’t actually be able to live by when something happens. For example, having an incident response plan is a good first step, but just having it doesn't mean that you're fully prepared for an incident. We’ve seen situations in tabletop exercises where we ask, ‘Who would be responsible for this?’ and the answer is, ‘This person, but they’re no longer here.’ These documents should be living. They should be tested. They should be updated.”

“The security team just gives us more work.” - IT team 

“With bigger companies that have a dedicated security team as well as IT and systems infrastructure teams, we often hear that those on the latter teams view security as a source of additional work when they’re already stretched thin. Their priority is availability. They get yelled at if something's down. If there’s a vulnerability, that's security's responsibility. The way to bridge this gap between teams is clear, top-down communication about prioritization and risk management. 

“Security isn’t solely the responsibility of any one team. When leadership makes it clear that the health of the overall business depends on security, companies can avoid disconnected teams and misaligned priorities. When each team understands how their work fits into the broader business goals, any work that supports those priorities feels logical and intentional, rather than one more thing to do ‘because someone says so.’”

In Conclusion

If one or more of these myths hit close to home, you’re not alone. As our experts highlighted, cybersecurity is an ongoing, dynamic effort rooted in frequent testing and validation, proactive risk management, and organizational alignment. Getting past these common myths and treating security as a shared, living business priority rather than an IT problem is an important step in the cyber resilience journey. 

Everyone begins that journey from a different place, and we never judge an organization for the stage they find themselves in or the security misconceptions they may still have. We’re simply here to help. 

Want to learn more about building a resilient and secure future for your organization? Let’s chat.

‍

Published By: Daniel Parker, VP of Ethical Hacking; and Scott Smith, VP of Security Architecture

Publish Date: June 18, 2026