I like lists. Jay Jacobs over at his Behavioral Security blog posted a list of infosec “rules to live by.” Can’t say I disagree with any of them, but thought I’d add to the discussion a bit!
Rule 1: Don’t order steak in a burger joint. I don’t really have much to add to this excellent point!
Rule 2: Assume the hired help may actually want to help. I agree with this, but I’d also play with changing the wording in one of two ways. First: “Don’t assume anything.” Second: “Assume the hired help will follow the path of least resistence.” I know, I’m twisting that rule around almost 180 degrees. I get that awareness can (and does!) foster the ability for people to make proper decisions. But I can’t assume or rely on that enough to call it a rule. I really like the last line in Jay’s paragraph on this, though. Still, I think he makes a similar point he went after in this rule, in the next few rules.
Rule 3: Whatever you are thinking of doing it’s probably been done before, been done better, by someone smarter, and there is a book about it. Absolutely! This is where being in touch with the greater security community is invaluable.
Rule 4: Don’t be afraid to look dumb. I can’t say this enough, especially to myself. Don’t be afraid to look dumb! We only get one life, usually one shot at things like first or lasting impressions. Don’t waste yours and other people’s time with false facades. Take a shot, fail, learn, do it better the next time. Lay your balls out there. As I’m fond of saying in the sysadmin world: we learn the most only when we’re troubleshooting issues or in the middle of failure. This is why “fail” and looking dumb need to be intrinsic cultural values in an IT organization.
Rule 5: Find someone to mock you. I’d probably reword this rule, but the point absolutely stands: find people who will honestly challenge you, mutually. This is the age-old, “Surround yourself with people smarter than you,” maxim. But really, it’s about mutual respect and being able to follow rule #3 and still be a man (or woman).