Mubix posted an excellent question via Twitter today. Twitter promptly decided to poop out on me…but even so, I thought it a question worthy of blogging about.

mubixPolling the audience (serious answers please). If you could get your boss to understand one security concept fully, what would it be?

Take a few moments to think about that one. Grab a stess ball, sit back and sip some coffee, whatever it is you do when absorbing something, but just take a moment to think.

Lots of things come to mind. Trust no one! Audit and change management! Patch! Hire, retain, and train competent staff to do the heavy thinking! You can never have too much information (just bad consumption of it). Support the business securely.

I finally posted back the following:

@mubix Hard question, and worthy of a blog post. I’d say “You *will* have a security incident. Plan for it and plan to find it.”

I was hoping for something more profound like, “Wax on, wax off,” that would encapsulate a whole zen-like frame of mind where all security pieces fall into place. Alas, this was my contribution. At least I feel it states one of our fundamental laws of security, and sets the tone to properly detect, monitor, check, audit, and response to incidents.