The Laws of Information Security

Andrew Yeomans reminded me of Peter Cochrane’s Real Laws of Information Security. Inspired by these, I decided to create my own.   

1. The purpose of an information security programme is to cover the backside of the CISO, rather than prevent incidents 
2. The best employees create the biggest breaches, as they work harder, longer and are more empowered
3. Risk appetite means not having to spend money on security
4. Risk management is for regulators and auditors: to create an illusion of control where none exists
5. Risk assessment is a decision support tool, not a decision making one
6. A good, modern security architecture is ragged around the edges, full of holes and exists largely in people’s minds
7. Security is applied backwards through the development cycle, starting with operational fixes and addressing design principles and requirements last of all
8. In every four people, one is an out-and-out crook, another honest to the point of stupidity, and the others will take a risk assessment to see what they can get away with
9. Information warfare is the art of illusion rather than the science of sabotage
10. Security will always be decades behind safety in understanding the root causes of incidents and how to address them