Truth be told, for most people, cybersecurity still feels like something magical and something they’d rather avoid.

It’s too complex and too abstract for those not directly involved to imagine what’s really happening behind all those activities.

Maybe that’s why there are so many myths about how it all works.

So today, I want to pop that bubble of mystery and uncover the truth behind some of the most common myths I’ve heard over the years.

Why don’t companies like to be secure?

When you think about it, why is it that so many companies still don’t take cybersecurity seriously?
Nobody wants their data stolen. Nobody wants to lose money. So what’s the problem?

The answer is simple:

Money.

Imagine you're a senior manager, and someone asks you to invest in protecting against something that might happen.
Something that hasn’t happened yet.
Something you can’t see.

Not exactly a priority, is it?

And that’s how we ended up in a world where everyone says they want to be secure — but very few are willing to pay for it.

This mindset creates the perfect conditions for cybersecurity myths to thrive.
So let’s take a closer look at some of the most common ones.

Why Should You Listen to Me?

If I were you, I’d be asking the same thing:
“Who is this guy, and why should I care what he has to say about cybersecurity?”

Fair question. So let me give you a straight answer.

My name is Erich, and I work as a Cybersecurity Manager. That means I spend my days performing risk analysis, communicating results, proposing solutions, and spreading awareness. In short, my focus is on governance, risk management, and aligning security with real business goals.

I deal with the messy, ever-changing reality of compliance, policies, frameworks, and human behavior.

Recently, I decided to push myself further and began preparing for the CISSP, one of the most respected certifications in the industry.

At the same time, I realized something important:
Cybersecurity still feels like a black box to most people.
And that’s a problem.

So I launched my newsletter, not just to document my CISSP journey, but to help real people understand how security actually works and why it matters to them.

I don’t claim to know everything.
But I do know what works, what doesn’t, and how to explain it in a way that makes sense.

And yes. I’ve heard more than my fair share of myths that just don’t hold up.

Common myths

#1 All Cybersecurity managers do is implement costly controls

That’s how we’re often seen, as people who just want to throw expensive security controls at everything to look important.

But here’s the truth:
We understand that businesses exist to make money, not to implement security controls.

Our real job isn’t to spend as much as possible. It’s to achieve balanced security.
To find that sweet spot between protecting what matters and keeping costs reasonable.

Yes, we consider all the risks, but that doesn’t mean every risk gets a control. Sometimes, we decide to:

• Accept the risk (do nothing),

• Avoid the risk (remove the risky system),

• Transfer the risk (e.g., via insurance).

The issue is: these decisions are often invisible.
So from the outside, it might look like we just throw controls at everything, but in reality, we make risk-based decisions every day.

Myth #2: Security isn’t our responsibility — we have a CSO for that.

This is one of the most dangerous mindsets in any organization.

Yes, the Chief Security Officer (CSO) sets the direction. Yes, security teams build the framework.

But how do you expect one person to handle everything?

Do you expect the Chief Financial Officer to personally oversee all transactions in the organization?

Do you feel like your dentist is responsible for you brushing your teeth?

You probably don’t.

So keep in mind, most breaches don’t happen because a firewall failed. They happen because:

• Someone clicked a phishing link

• A weak password was reused

• Sensitive data was shared without thinking

Security is everyone’s responsibility.
From interns to executives, every person plays a role. Like it or not, most risks start with human behavior, not just technology.

Myth #3: We’re too small to be a target.

I just love hearing that. No matter how big or small the company is, someone will always say, “Nobody would bother attacking us.”

But here’s the truth:
You are never too small to be a target.

Sure, the type of attack may differ. But that doesn’t make it any less serious.

And let’s not forget the internal threats. You don’t need a hacker to bring your business down. Sometimes, it’s as simple as a hard drive failure and no backup plan.
That’s not a breach. That’s bad luck combined with poor preparation.

Cybersecurity isn’t just about firewalls and ransomware.
It’s also about business continuity, disaster recovery, compliance, and resilience when things go wrong.

Here’s the real message:
If you’re a smaller company, your priorities will look different than a huge corporation. That’s perfectly fine.
But skipping cybersecurity? That’s not a strategy. That’s a risk.

Myth #4: Compliance = Security.

You know how it often is in big companies. You get a checklist, you tick all the boxes, and you’re done.

Well, I hate to break it to you, but that’s not how cybersecurity works.

It might look that way during an audit. Excellent templates, signed policies, and logs printed out for the auditor. But that’s where the similarity ends.

Compliance is about meeting minimum requirements.
Security is about reducing real-world risk.

You can be fully compliant and still be completely vulnerable.

Why?

Easy, simply because the standards are quite generic. They don’t know your threat landscape. And they don’t keep up with the speed at which attackers operate.

So yes, compliance matters. But if you stop there, you will probably face some serious issues.

Myth #5: We will deal with security later

Okay, this one isn’t exactly a myth. It’s more of a mindset.
But it’s so common that I have to mention it.

Picture this:
You’re building a new service. You gather requirements, define functionality, set expectations, and line everything up perfectly.

Except for one thing:
Security.

You tell yourself you’ll “focus on it later.”
And “later” turns out to be… right before the release.

At that point, you finally bring in the Cybersecurity manager.
And guess what? He uncovers several design flaws. Things that could’ve been fixed easily at the start, but now require major changes, extra time, and additional budget to meet company standards.

The result?

• The project is delayed

• Costs increased

• And the cybersecurity team becomes the “bad guy” who ruined a “perfectly working” product

Here’s the lesson:
Cybersecurity must be considered during the design phase!

Myth #6 Security Trainings Are Only for IT People

This one comes up way too often.

The assumption is simple: “I’m not in IT, so I don’t need to worry about cybersecurity.”

Wrong.

Most security incidents don’t start in IT.

They start with someone clicking a phishing link, using a weak password, oversharing information, or falling for a social engineering scam.

That “someone” could be:

• A receptionist

• A salesperson

• A senior executive

• You

Cybersecurity training isn’t about learning how firewalls work.
It’s about knowing how to recognize real-world threats. Suspicious emails, fake login pages, or manipulative phone calls.

In fact, non-IT staff are often the biggest attack surface because they don’t expect to be targeted, and that’s exactly what attackers count on.

So no, security training isn’t just for people from the IT department.
It’s for everyone who touches a keyboard, opens an email, or has access to sensitive information.

If you're part of the business, you're part of the risk.
And that means you're part of the solution too.

Why does it all matter?

I’m sure you could name a dozen other myths or flawed mindsets about cybersecurity. And honestly, so could I.
But I chose these specific ones because I’ve experienced them all.
And together, they highlight a bigger problem:

Most people still misunderstand what cybersecurity actually is.

The whole field is still relatively new. And for many, it’s too abstract.
They try to fit it into existing boxes, but it simply doesn’t fit.

Some see cybersecurity as a guy in a hoodie hacking from a basement.
Others think it’s just a bunch of annoying rules and paperwork.
And many see security teams as blockers, people who show up late and delay their projects.

But here’s the thing:
Cybersecurity isn’t here to stop you. It’s here to keep you going.
It’s about protecting what you’ve built, not just from hackers, but from mistakes, bad luck, and unforeseen events. (including floods and other natural disasters!)

If you’re still reading this, then I hope you will see Cybersecurity leaders differently from now on.
I hope you’ll become what we call a cybersecurity champion.
Someone who sees the security team not as the enemy, but as a partner.

And trust me, it often takes just one person in a team to change the mindset for everyone else.

Let that person be you.

If you enjoyed this article and want to hear more from me, you can find my writing atErich Winkler.