The original immutable laws of security (v2 updated below) identified key technical truths that busted prevalent security myths of those times. In that spirit, we’re publishing a new complementary set of laws focused on busting prevalent myths in today’s world of ubiquitous cybersecurity risk.
Since the original immutable laws, information security has grown from a technical discipline into a cybersecurity risk management discipline that includes cloud, IoT and OT devices. Now security is part of the fabric of our daily lives, business risk discussions, elections, and more.
As many of us in the industry followed this journey to a higher level of abstraction, we saw patterns of common myths, biases, and blind spots emerge at the risk management layer. We decided to create a new list of laws for cybersecurity risk while retaining the original laws (v2) as is (with a single slight change of “bad guy” to “bad actor” to be fully correct and inclusive).
Each set of laws deals with different aspects of cybersecurity – designing sound technical solutions vs. managing a risk profile of complex organizations in an ever-changing threat environment. The difference in the nature of these laws also illustrates the difficult nature of navigating cybersecurity in general; technical elements tend toward the absolute while risk is measured in likelihood and certainty.
Some Laws of Cybersecurity Risk
A. Achieving Security Success Damages Attacker Profitability: Security can not deliver absolute safety, but it can discourage attackers by reducing their Return on Investment (ROI). Raise the cost for the attacker and diminish their returns related to your most critical assets.
B. Failing to Advance is Regressing: Security is an ongoing process, and staying idle means falling behind. The cost for attackers to control your assets is constantly reducing. Continually updating your security patches, strategies, risk awareness, inventory, tools, supervising systems, user rights models, and covering platforms are all vital to stay ahead.
C. Efficiency is the Ultimate Champion: If users find security complicated, they will try to bypass it to perform their tasks. Ensure that your solutions are both secure and user-friendly.
D. Attackers are Indifferent to the Techniques They Use for Infiltration: Attackers will exploit every vulnerability to access your system and assets, compromising anything from a networked printer to a cloud service or a PC. They could deceive a user, take advantage of insecure procedures, or simply ask for passwords via phishing emails. Your duty is to understand and eliminate the simplest, cheapest, and most beneficial options for them.
E. Ruthless Prioritization is a Necessity for Survival: There is never enough time or resources to mitigate all risks. Prioritize the assets most crucial to your organization, those attractive to attackers, and keep updating this prioritization.
F. Cybersecurity Requires Teamwork: It’s impossible for one entity to handle everything. Concentrate on tasks that are unique to you or your organization in order to protect its mission. If others can do certain tasks more efficiently or cost-effectively, let them do it.
G. Your Network May Not Be as Trustworthy as You Believe: Relying solely on password protection and trusting internal devices results in a security strategy that is barely better than not having one at all. Attackers can easily bypass such defenses, so the credibility of each device, user, and application must be constantly proven and confirmed, starting from a zero trust level.
H. Isolated Networks Aren’t Necessarily Secure: Air-gapped networks can potentially provide strong security if correctly maintained. However, if resources are important enough to be placed on an isolated network, ensure to invest in mitigations for possible connectivity such as USB media, bridges to internal networks, and external devices.
I. Encryption Isn’t a Standalone Data Protection Measure: Encryption is effective against particular types of attacks, but data’s safety level is just as good as the security of the decryption key.
J. Technology Cannot Rectify Problems Stemming from People and Processes: Techniques like machine learning, AI, and others can make substantial progress in security. However, cybersecurity is fundamentally a human problem and cannot be fully resolved by technology.
Each law underlines the need for a proactive, ongoing strategy for managing cybersecurity risk, as well as the inclusion of every aspect of an organization, from individuals to processes, in this strategy.
https://learn.microsoft.com/en-us/security/zero-trust/ten-laws-of-security
https://www.linkedin.com/pulse/practical-examples-immutable-laws-security-ziggy-nemeth