In the two day MGT433 Securing the Human course, we start the class by defining what risk is. Security awareness is nothing more than a control to manage human risk. To manage risk, you have to first define it. What stuns me is how often security professionals that have been in this field 5, 10 or even 15 years are so lost in the technical weeds they forget (or never truly learned) the fundamentals of what we do. So, just to recap for those of us who have forgotten (and those who are new to the field), here are the five key tenets of cyber security.
Mission: I hate to break it to many security professionals out there, but your organization does not exist to be secure, it exists to get things done. Our job in cyber security is to support the mission of the organization, and that means manage risk to an acceptable level. That means your job is not to achieve perfect security, your job is to achieve “good enough” (I’m channeling my inner Marcus Ranum here). That also means getting hacked is okay. The goal is resilience, the ability to quickly identify and minimize the impact of an incident so your organization can continue its mission.