The Security Manifesto (sorry agile!)

A few days ago, I spoke to some folks about a security seminar I am running. During this conversation, I was struck by something. Most people today, when they think of security, imagine a disgruntled techie in a darkened room surrounded by empty cola and energy drink cans attacking something. They think of the white V for Vendetta mask-wearing folks. Or they think of a large room of people in uniforms stealing industrial secrets. Whatever security is in place, is being breached online. So, security is thus an IT problem.

We all sit the mandatory once a year security training, where we learn what CIA stands for (Confidentiality, Integrity and Availability). And then forget about it for another year. But at least you did your compulsory training! And we continue to hold the door open with a fire extinguisher rather than use the RFID cards to open it (because not everyone has one of those!) Or leave the magnetic door lock unlocked because the bell to open the door is annoying!

The first step is to change to way people think about security. It's not just technology, but process and people as well. That got me thinking - what we need is a manifesto!

So iteration 1 of The Security Manifesto:

We MUST uncover effective ways of securing organisations by doing it and helping others do it.

Through this work we value:

security by design over security is added

security is learned over security is bought

everyone is responsible over IT is responsible

following a secure usable process over following a security process

Apologies to the agile folks - but they're onto a good thing!