I always like to say that there are two types of bad security people (I don’t address security people who don’t know security): The Secret Squirrel and The Chicken Little.

We all know The Secret Squirrel.  These are the people who sit back in their infosec fortress behind the biometrics and don’t tell you anything at all because it’s “sensitive information”.   This includes security policy and procedures, which you can’t have because you might be an attacker.  In short, paranoia becomes everything for The Secret Squirrel to the exclusion of helping the business needs.

The Chicken Little behaves exactly like the children’s story.  “The sky is falling,” they say, “We’re exposed to these risks.  The end is near!”  These people are the kind who cannot prioritize between various degrees of badness.

What both of these types of people have in common is that usually they don’t really understand what they are doing.  They only know one part of the whole job, and that is what they fixate on.

Please don’t let this happen to you.

• MREs and Bad News
• Split-Horizon Assessments and the Oversight Effect
• “SBU” Must Die
• Audit Risks
• 20 Critical Security Controls: What They Did Right and What They Did Wrong