Laws of Security



Maintain good security hygiene and risk awareness (including senior management); make it a point to exercise and practice worst-case-scenarios to support and update your guidelines.


Hire and promote the best people, and provide them with the necessary resources. Security is a lot more than just checkboxes and tools. It’s about the guys on the ground.


Nurture and practice good listening and communication up and down the hierarchy (both ways); establish trusted channels and practices. Good security begins by understanding what you need to protect. Build the relationship, force multiply security.


Systematically uncover, track, and address upstream, conditional, and systemic risks. They might point to deeper unknowns. It’s what you don’t see that will get you. Make it a point to always check second-order risks as well.


Build a superior and responsive intelligence capability, to include a red team perspective, threat and market intelligence, and good-old networking with your peers. Remember, proper prior planning prevents piss poor performance.

These basic truths were the result of a conversation with the folks at the Red Team Journal.

Original source of the basics.