Top 5 Rules to Live By (for Infosec)

With the holidays upon us and all that happy-good-cheer crap going around, I thought I would try it and see if I couldn’t give back a little.  Perhaps I could even spark a little introspection as we look toward the new year.  Throughout the years I’ve picked up many little pearls of wisdom, and for those I haven’t forgotten, I’ve compiled them into my top 5 rules to live by (for infosec). 

Rule 1: Don’t order steak in a burger joint.

This is always my number 1 rule and comes via my father growing up.  Knowing how to adjust expectations is critical.  Being aware of the surroundings and everyone’s capabilities is important.  The steak reference is easy to picture and identify with, but this manifests itself daily and much more subtly.  A stone castle can’t be built out of sand, and a problem can’t be solved if people don’t see it.  It’s amazing and a little scary to realize how many mediocre burger joints there are. 

Rule 2: Assume the hired help may actually want to help

Once there is awareness about the environment, understand that people generally want to do the right thing. This is a hard thing to accept in infosec because the job is full of people making bad decisions and it’s easy to make fun of “stupid” people and mentally stamp a FAIL on their forehead.  But I found if I write off someone as incompetent I also write off the ability to learn from them.  Once I made this mental shift I was surprised at how smart people can be and how much I can learn from others – especially in their moments of failures.  Plus most problems have a more interesting root cause then negligence, if we can look for it.

Rule 3: Whatever you are thinking of doing it’s probably been done before, been done better, by someone smarter, and there is a book about it.

…or “Read early, read often.”  This is critical to improving and adapting.  Even if it hasn’t been done directly, then someone has done something similar, perhaps in some other field.  Find out, look around, ask questions, talk to co-workers, neighbors, kids and pets.  Sometimes finding things to imitate can come from weird places.  If none of that works, it’s always possible to think up security analogies that involve a home, perhaps a car.  (Note: please refrain from disclosing home/car analogies publicly, unless it’s for a comment on Schneier’s blog)

Rule 4: Don’t be afraid to look dumb.

Answering “I don’t know” is not only appropriate, it’s necessary.  Get out on that dance floor and shake it like it you mean it.  Because hey, anyone can look good doing the robot if they commit to it.

Rule 5: Find someone to mock you.

This is invaluable.  Whether we realize it not, infosec is a nascent field.  It’s relatively easy to look like a rock star, but detrimental to believe it.  Having someone around to bring up Rule #3 (repeatedly) is very important because it removes complacency.  There is always room for improvement.

So there we have it, the top 5 rules to live by (for infosec).  I would be interested to know what rules others come back to.  If anyone has some send them my way, because rule 3 does apply to lists of rules to live by.