awareness is never enough

We talk a lot about user security awareness.

But awareness is never enough.

I might be aware that you forgot to close the window on a rainy night. This won't help unless I care to close it or remind you. I might be aware that my password could be misused by a malicious individual. This won't help unless I care to make an effort to protect it.

I must care enough to do the right thing when it would be easier not to. I must be committed. So, let’s stop parroting awareness as an end goal. It’s not.


applying principles for societal security

At a FoF seminar, The MSB today suggested 10 principles for societal security.
I interpreted eight of them for InfoSec Management.
  • earn and maintain trust among stakeholders
  • communication is an indicator of a safer organizational systems environment
  • readiness begins and ends with the individual coworker
  • incident prevention can be made more effective
  • critical services must remain available
  • information security is everybody's business
  • manage dependency on external suppliers
  • a system transcending trust boundaries can only be managed in a concerted effort


no silver bullet

There's an entire industry based on the assumption that Security Management is about fancy technology. The latest and greatest product, the silver bullet which will finally turn the tide and help us defeat adversaries once and for all.


To me, it's all about people. The folks who envision, design, build, deploy, operate, evolve, maintain and - when that day comes - decommission the system in a controlled fashion. Most importantly, the Owner who remains accountable throughout the system's life-cycle.