In the course of 30 years or so working in computer security, I have often cited to friends and colleagues my three ”Laws”. I’ve never committed them to writing, and I’ve never discussed them in public. Here, for the first time, are Graff’s Three Laws of Cyber Security.
The third Law:
“The security of any enterprise is inversely proportional to the confidence of the CIO.”
If the CIO says, “I think we’re pretty good shape. After all, we encrypt everything,” he and his company are truly hosed. If, on the other hand, she says, “Worrying about security keeps me up every night. I’m really afraid we’re not doing enough,” the company is on the right path. Constructive worrying is key. Of course, they are probably hosed anyway.
The second law:
“The more critical a server or website is, the more out of date its security is.”
If you ever tried to convince a vice president to take down the business’s key server so that you can install security patches, you know the truth of this principle.
Graff’s first law of cyber security is:
“None of this [stuff] works the way it’s supposed to.”
In private conversation, I never use the word “stuff”. I must have used close to 1000 security products, and I never seen one that did everything was supposed to do without fault, or was in fact as resistant to assault by an expert attacker as its marketeers claimed. These principles have held true, without change, for 20 years or more. Because they rely on human nature and economics, not technology, I expect them to hold true for decades more.