Know what you need to protect. Reduce a problem to its lowest abstraction, and understand the risk and threat landscapes. Have one single source of truth.
Security begins with people. Technology and process complement the people, not replace them. Educate people, create processes, then implement technology. Pick the right people. Quality is better than quantity.
Security is built around layers, with each layer being more difficult to penetrate. Make the invisible, visible, and always try your best to engage a threat at the outermost layer.
Never trust input. Make sure you authenticate the source. Be wary of unknown output as well.
Consider what you need for the circumstances you are most likely to face, not the ones that are the easiest or most exciting to plan for. Plan ahead, and red team it. Remember: it’s too late to start planning once the crisis occurs.
Have clear priorities and communicate them in a simple way. Strive for procedures and automation that are easy to follow and are repeatable. Security supports a larger objective, don’t develop in a vacuum.
Search for the things that can go wrong, even if they appear as an impossibility. Understand the issues and proactively address them.