10 Security Principles to Live (or Die) By

Over the years, information security has gained a bad rap for a number of reasons; poor definition and poor application of security are two primary reasons. Here are ten information security principles that should help us put our definition into context.

  1. A business is in business to make money.

Seems obvious, doesn’t it? How often does information security get in the way of making money? If information security gets in the way of our business making money, then we’re doing it wrong. Information security must align with business objectives. This is almost impossible for corporate leaders unless we take an active role.

  1. Information Security is a business issue.

Information security is NOT an IT issue. The technical part of information security is complementary to administrative and physical security, not exclusive.

  1. Information Security is fun.

Who actually says or thinks this is true?! It really comes down to attitude. People do not want to do anything that they see as boring or painful. If we ask someone to do something that is important to our mutual success, we should make it as enjoyable as possible.

  1. People are the biggest risk.

This has always been and will always be true. Most organizations overspend on security technology at the expense of neglecting the people part of security. Your greatest risk is probably not technology-related.

  1. “Compliant” and “Secure” are different.

We shouldn’t confuse the two.

  1. There is no common sense in Information Security.

If there were, we would have better information security. This point re-emphasizes the point that people are our greatest risk.

  1. “Secure” is relative.

As you recall from our definition earlier, security is managing risks not eliminating them. We cannot reduce our risk to zero. The relativeness of security warrants ongoing measurements and comparisons.

  1. Information Security should drive business.

Identify and focus on information security benefits. Information security shouldn’t just be a cost-center.

  1. Information Security is not one size fits all.

No two organizations are exactly alike. It makes sense to copy certain things that work for other organizations, but if we expect something to work we will have to make it our own.

  1. There is no “easy button.”

So stop looking for one.


Evan Francen on LinkedinEvan Francen on Twitter
Evan Francen
CEO at FRSecure
Nickname: "The Truth"

I am a 25+ year information security veteran, and I tell it like I see it. I’m not known for being politically correct, and this sometimes gets me into trouble. More often than not; however, clients and colleagues come to appreciate the candor and common sense approach. If you look at security (the right way), you’ll find that it’s just not as complicated as people make it. I hope you enjoy my writings on security and other miscellaneous things. I really have a strong and deep passion for helping people and making the world a better place.

Check out my new book UNSECURITY

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *