Rich Mogull has been around in security for 20 years, and he posts about his guiding security principles. I think I agree with them all ( to varying degrees), but there are a couple I’d like to build on.
1. “Don’t expect human behavior to change. Ever.” – Fine, you *can* change human behavior to an extent, but we in security can’t *expect* it to change. Otherwise it just becomes an excuse for insecurity and we start taking steps away from reality. We have to work with human behavior or find ways to influence it that are not like flatly telling someone, “No.” Positive and negative conditioning should be general vocabulary terms for security geeks, let alone the other influencers (economics, psychology, politics, etc). We social engineer on a weekly basis, or at least should.
2. “…keep it simple and pragmatic.” – Yeah, we all get sick of the KISS principle after even one semester of technical coursework. But it absolutely must be a guiding principle in what we do, not just in security, but IT in general. Keep it simple. Keep it simple. Keep it simple. The more complex something is, the larger the total cost of ownership, the worse the security will be, and the more annoying it will be to anyone involved. Keep it simple. This becomes easier when you agree to Rich’s other principles. That way you stop yourself from trying to block every last % of vulnerabilities that have a miniscule chance of occuring or account for every possible action a human employee may take. Keep it simple. There is a reason this permeates so many personal philosophies in every facet of business and life.
As one of my favorite quotes, “Simplify, simplify.” -Thoreau.