The ongoing evolution of cyber attacks indicates that hackers are losing the battle against security professionals, Gartner analysts have claimed.

In their aim to dispel the many IT security myths and misconceptions in existence today, Gartner analysts said the popular notion that hackers are beating the good guys is incorrect.

If hackers were winning the battle, they would not be trying so hard to invent new techniques, according to security, privacy and risk analysts Andrew Walls and Eric Ouellet in the keynote address at Gartner’s IT Security Summit in Sydney on Tuesday.

“I find it encouraging when I hear about a new threat, because that means hackers are not succeeding. [Instead], they're using new tools,” said Walls.

“It’s fantastic that hackers are having to work harder and harder to find that new gap,” said Walls, referring to the highly publicised DNS vulnerability.

In similar tone, Ouellet argued that if hackers were to be winning, the security industry would still be where it was ten years ago. “Hackers are being forced to come up with new techniques,” he said.

According to Ouellet, another major misconception is the belief that the more money organisations spend on security, the better the system. Gartner research shows the opposite is in fact more accurate.

“Most organisations spend between three and seven percent on security,” he said.

“What we have found is that organisations that spend more than seven percent of the IT budget on security are actually less secure because they use reactionary approaches. They end up with point solutions where there’s no overarching theme and no integration.

“Organisations that spend less, have better security, [even though] they spend a lot less by two to two and half percent making them more efficient,” explained Ouellet.

Security professionals need to qualify threats that are reasonably anticipated, and dispel those which are pure myths, misconceptions, or based on paranoia of the unknown.

“We have to move beyond just reacting to another virus threat, we really have to think beyond that to a process and control framework to have these events managed,” Ouellet said.

Security professionals also need to keep security and IT simple. According to Oulette, too many organisations over complicate things.

“Most organisations don’t do the pre-planning or look at the needs of the business. From here on in we need to look at what we need. The more we simplify IT the less money we have to spend.”

Furthermore, the notion that being compliant means business is secure is a myth. According to Walls, compliance really only means they’re allowed to play the game and those clients chasing compliance never have a good security program.

Additionally, security is an enabler not a hindrance, it provides the environmental suite that enables usage and data leakage has not suddenly surged it has been an issue for decades, the analysts said.