The 10 Immutable Laws of Security Administration

Found the following ‘Immutable laws of Security Administration’ the other day. Apparently Microsoft first published this back in 2000. That is twenty years ago now. For reference, common technology in use back then:

The first camera phone appeared, The Sims was launched, and USB drives were just then becoming commonplace.

What is crazy to someone who hasn’t been around the scene so long, is that technology has changed so much in just 20 years, yet the ideas that drive some of our most basic security practices are still the same.

Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea

That list could be pasted on almost any CISO’s wall today, and be 100% relevant. Even in our cloud native environments, most of this is true. Just replace ‘Network’ with ‘Environment’.

As of this writing, it’s 2021, and intrusions and large scale breaches are all too common. Yet, still, EVEN NOW, many executives do not think that anything bad is going to happen to them. It’s why cybersecurity is often run on a string budget; it’s why so many IT administrators don’t tke vulnerabilities reported to them seriously; it’s why many so many risks are marked as acceptable today. Rules number one and six are still so relevant it’s painful.