- Stop talking about traditional “risk management” as some sort of magical rubric or panacea.
Start talking about threat modeling and legal defensibility.
- Stop using ad hoc approaches to security architecture and solutions.
Start adopting a holistic, systemic ISMS-like approach.
- Stop delegating ownership of security to IT or other non-business leadership.
Start requiring execs and the board to directly own and be responsible for security.
- Stop relying on shortcuts to survive audits.
Start demonstrating actual due diligence by adopting a reasonable standard of care.
- Stop looking for ROI to “justify” security.
Start thinking of security as a business enabler that facilitates better decisions and helps protect the business during both the good and the bad times.
A Sense of Self-Preservation