Risks vs Resources

You need to evaluate the short-term, medium-term, and long-term risk, and ask, how willing are you to tolerate that risk? Then invest limited security resources to deal with risks you are least likely to tolerate. Betsy Cooper, executive director of the Center for Long-Term Cybersecurity at UC Berkeley (via CSO Online)

Always Write Dumb Code

Always code as if the guy who ends up maintaining, or testing your code will be a violent psychopath who knows where you live. Dave Carhart

Insider Threat

The biggest threat to corporate security is corporate employees – whether malicious or not. Jason Hill, Director of Strategic Services, Cybriant

The Essense of Strategy

The essence of strategy is choosing what not to do. Michael Porter, “What is strategy?” In: Harvard Business Review, November (1996)

Secure

Everyone using “secure” as an adjective, as in “secure remote access,” is either selling something, or has just bought something. Andrew Ginter, from SCADA Security: What’s Broken and How to Fix It

Compliance

Compliance with standards means doing what someone else has told us to do, whether it is useful or not. Paul Feldman, from SCADA Security: What’s Broken and How to Fix It

CIA is Nonsense

At almost all industrial sites, the first priority is not availability, integrity or confidentiality, but safety. The second priority is always reliability, not of the control system, but of the physical process. Andrew Ginter, from SCADA Security: What’s Broken and How to Fix It