Cybersecurity rules of thumb. Easy to do | by Vicente Aceituno Canal | The CISO’s lair | March 2024


Easy to do

photo by Johan Godínez on Unsplash

Sometimes you have to understand something in order to deal with it. But it’s also true that sometimes a humble rule of thumb, a heuristic without much theory, evidence, or conceptual underpinning, can get the job done and keep you out of trouble!

  1. The difference between being pessimistic and paranoid is the same as between being productive and busy.
  2. Patches are not applied by computers and vulnerabilities are not fixed by computers, they are fixed by people. Learn to deal with people first.
  3. You can’t protect something if you don’t know it exists and who manages it. You also can’t protect it if it’s too complex to understand.
  4. Backed up data that has been tested for restoration is gold.
  5. If you don’t have a comprehensive list of single points of failure, you don’t have a business continuity plan.
  6. If you don’t investigate why new mild anomalies are occurring, you deserve all future incidents.
  7. Pentests look for vulnerabilities, not identity management issues. Find them and fix them.

8. Procedures are sufficient when a new hire can use them without training on their first day on the job. Otherwise, they are just for show during audits.

9. Role requirements come from users, not administrators. Only users know what others would not want to do with the system.

10. Ockham’s Razor: Any concept that does not start and stop projects must be obsolete.

11. If you didn’t communicate it, it didn’t happen.

12. The map is not the territory and the model is not the thing.

13. You can achieve the same goal using different approaches. Kill your darlings, don’t fall in love with just one.

Leave a comment