The following are quotes or paraphrased notes taken from talks I have seen, podcasts, or general conversations with people I know. If you feel you didn’t say these words, or wish to correct them, just contact me.
———
Microsoft gets it: you don’t teach programmers to be security people. You do it for them (or make it hard for them to do it wrong). – Unknown
——–
“Don’t make people security experts, make it easy for people. Get out of the echo chamber. Make accessible the message that people care about. People don’t want to think about security in what they do – they just want it to be there.” – Josh Corman
——–
“Make things simple and they will do it. Make it easier so people will use it.” – Unknown
——–
“People respond to transparency and openness. When issues are exposed – surfaced.” – Unknown SIRAcon 2016
——–
“We have to accept that its not our risk tolerance that matters as risk practitioners or security professionals. Its the person accountable for the risk at the end of the day. And until you overcome that your almost a barrier to what you’re trying to achieve.” – Chris Hayes
——-
“We have to work with the biz to get them to understand the risk, and design with it (for better solutions). This is why security should have 2 parts (maybe 3). A) understand and design ways to mitigate the risk for the new, B) manage risk day to day, operations C) Analyze the performance and effectiveness over time”
———
Risk Manager’s job is helping CSO sell security – sell the project. Whether its a great big investment decision, or small item – what are the attributes, the Risk and Opportunity measures (estimates and forces at play). – Alex Hutton
———
Risk Management / Security Metrics is a Security Optimization Program