The Laws of Information Security

Andrew Yeomans reminded me of Peter Cochrane’s Real Laws of Information Security. Inspired by these, I decided to create my own.   

  1. The purpose of an information security programme is to cover the backside of the CISO, rather than prevent incidents 
  2. The best employees create the biggest breaches, as they work harder, longer and are more empowered
  3. Risk appetite means not having to spend money on security
  4. Risk management is for regulators and auditors: to create an illusion of control where none exists
  5. Risk assessment is a decision support tool, not a decision making one
  6. A good, modern security architecture is ragged around the edges, full of holes and exists largely in people’s minds
  7. Security is applied backwards through the development cycle, starting with operational fixes and addressing design principles and requirements last of all
  8. In every four people, one is an out-and-out crook, another honest to the point of stupidity, and the others will take a risk assessment to see what they can get away with
  9. Information warfare is the art of illusion rather than the science of sabotage
  10. Security will always be decades behind safety in understanding the root causes of incidents and how to address them

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Points well made. Perhaps the time has come to rename our industry "information safety" because that's what it's really about. Is our information safe in the hands of others; do they keep it protected (confidentiality)? Do they protect it from damage (integrity)? And do they use it correctly (availability)? Perhaps, with the long awaited exercising of the ICO's extended powers, we will see a shift in understanding when it comes to corporate responsibility and liability. After all, the Health and Safety at Work Act took a while to really embed itself in the hearts and minds of corporate bodies, and that was largely through the realisation that failure to comply carried large financial and personal penalties. Sadly, even if we do make that shift I suspect we will also have to endure a period of pain similar to the "health and safety gone mad" phase where every workplace was stifled by a desire to eliminate rather than manage risk. Although I suspect that information security already carries that "gone mad" stigma, hence the reason why it is either ignored completely, or applied with such inappropriate rigour as to be a self-fulfilling prophesy. I look forward to the day when safety eliminates accidents and incidents altogether, so we security professionals can start catching up.
I'd add an additional law: If you don’t check then it hasn’t been done...