Security begins by assessing and communicating risks. Focus on identifying vulnerabilities and developing a mitigation plan.
Always strive to remove complexity, creating repeatable procedures and simple automation, making security a non-thought. Simple security allows for better ways to apply the fundamentals.
Common sense will point to the right solutions, helping you find the patterns and indicators that current models don’t work. Adapt and keep processes light, changing them when needed, but remember: there are proven ways of doing things, don’t reinvent the wheel.
Always fail close and loud. When controls don’t work or something deviates from the baseline, alerts should be everywhere, even if they are false-positives.
Modern technology pulls in an impossibly big number of dependencies. These in turn have more dependencies, making it virtually impossible to secure modern technology. Shrink the tech. Focus on simpler, proven, and tested solutions. Avoid the trap of the SBOMs.
Create secure-by-default standards, helping prevent exploitable vulnerabilities, insecure products, and open networks from proliferating. Automate hardening, and simplify application security.
Never trust input, connections, or identity. Make sure you authenticate everything across each layer. Be wary of unknown output as well.
Make the invisible, visible, creating supporting preventive, detective, and reactive controls, always engaging a threat at the outermost layer.
You are always being attacked. Understand the ways in. What do you need to protect now? What are the immediate risks? Red team it.
The shorter you make your OODA loop, the faster you can observe your environment, orient security, decide what to change or do, and act on it. The more you do this, the better you can bring the fight to the bad guys by making it less enticing to attack you.