Nearly a year ago, journalist Martin Banks codified “Five Laws of Cybersecurity”. Cybersecurity is a complicated field, and any way to simplify its many facets into short, easy-to-remember maxims is always welcome. The five laws are a very good start towards developing a robust security program. The laws are:

  1. Treat everything like it’s vulnerable.
  2. Assume people won’t follow the rules.
  3. If you don’t need something, get rid of it.
  4. Document everything and audit regularly.
  5. Plan for failure.

Of course, compliance with real rules does not necessarily equal security, but these general cybersecurity “laws” are a useful reference.  Still, like real regulations, some depth, and background can provide meaningful value. In some cases, the origins of these unofficial laws can add to lively debate by even the staunchest cybersecurity practitioner.

Treat Everything Like It’s Vulnerable

The first rule of cybersecurity is to treat everything as if it’s vulnerable because, of course, everything is vulnerable. Every risk management course, security certification exam, and audit mindset always emphasizes that there is no such thing as a 100% secure system.  Arguably, the entire cybersecurity field is founded on this principle.

Since many organizations fail to meet this standard in full, the rise of zero trust security has become the new benchmark of mature cybersecurity practice. Zero trust, by design, denies access to everything without verifying its authority.  This is similar to what you may see in a spy movie, where access to any and all rooms requires authorization.  Zero trust goes even farther, by re-checking that permission at various stages of a session. Identity access management (IAM) for both users and devices, as well as steps such as update verification, are the bedrock of a zero trust environment. No device, program, or user should have access to (Read more...)