The Laws of Information Security
Andrew Yeomans reminded me of Peter Cochrane’s Real Laws of Information Security. Inspired by these, I decided to create my own.
- The purpose of an information security programme is to cover the backside of the CISO, rather than prevent incidents
- The best employees create the biggest breaches, as they work harder, longer and are more empowered
- Risk appetite means not having to spend money on security
- Risk management is for regulators and auditors: to create an illusion of control where none exists
- Risk assessment is a decision support tool, not a decision making one
- A good, modern security architecture is ragged around the edges, full of holes and exists largely in people’s minds
- Security is applied backwards through the development cycle, starting with operational fixes and addressing design principles and requirements last of all
- In every four people, one is an out-and-out crook, another honest to the point of stupidity, and the others will take a risk assessment to see what they can get away with
- Information warfare is the art of illusion rather than the science of sabotage
- Security will always be decades behind safety in understanding the root causes of incidents and how to address them