Good rules …

  • Stop talking about traditional “risk management” as some sort of magical rubric or panacea.
    Start talking about threat modeling and legal defensibility.
  • Stop using ad hoc approaches to security architecture and solutions.
    Start adopting a holistic, systemic ISMS-like approach.
  • Stop delegating ownership of security to IT or other non-business leadership.
    Start requiring execs and the board to directly own and be responsible for security.
  • Stop relying on shortcuts to survive audits.
    Start demonstrating actual due diligence by adopting a reasonable standard of care.
  • Stop looking for ROI to “justify” security.
    Start thinking of security as a business enabler that facilitates better decisions and helps protect the business during both the good and the bad times.

Source :
A Sense of Self-Preservation

Be the first to comment

Leave a Reply

Your email address will not be published.