Our principles are what set us apart. We don't believe that compliance-driven command & control cultures make security better. Good security comes from teams of well-informed, empowered people who care about it, who want to learn, and who understand its importance. Our principles are designed to support this approach.
Good security is user-centred.
Treat people as the guardians and protectors of security. Help them feel motivated, equipped and empowered to make more secure decisions.
Good approaches don’t treat the people in a process as a problem to be solved or as a “weakest link”.
Good security requires people to be trusted.
Instead of creating a policy or process for every situation, create and share principles that describe the qualities of good decisions, and regularly discuss how to put them into practice.
Good approaches don’t try to eliminate trust. They define who to trust, and verify that continued trust is justified.
Good security is inclusive.
When considering security questions, involve a broad group of people and help them to collaborate, form consensus, and share what they agree.
Good approaches avoid working in isolation, because everyone involved in a process is involved in its security. If someone’s actions matter, so do their needs, motivations and opinions.
Good security comes from constant, iterative effort.
Make small changes that address the problems you need to solve, starting with the most urgent and important work, and learning as you go.
Good approaches make small changes and observe their effects, because it’s rarely clear what the consequences of a given change will be.
Good security builds resilience by embracing failure.
Good approaches build defence in depth because defenders of systems make mistakes, attackers need only one to succeed and avoiding all mistakes is an impossible standard.
Assume that failures will occur, think about how and when this might happen, and use the evidence and insights you have gained to build resilience into your systems.
Good security looks incomplete.
Prioritise being responsive over being comprehensive, and develop your ability to adapt to changing circumstances.
Good approaches don’t look complete, because security is never finished. The appearance of being finished is bad, because it comes from poor prioritisation and leads to complacency.
Good security is underpinned by regular, effective communication.
Provide safe opportunities for people to bring up security in discussion, and make sure teams are able to discuss it productively.
Good approaches prioritise regular, timely communication, because security risk is complex and cannot be distilled into pithy titles and scores.