“The only real security that a man can have in this world is a reserve of knowledge, experience and ability.“— Henry Ford My mum is a normal person with a security mindset. She was very natural with that kind of thinking and taught me a lot when I was young about security. That should be what people called . I finally realized that was what I taught the others until I formally learned about Security Concepts. social intelligence When I was a little boy, my mum told me to be careful when going out alone. She asked me not to walk straight in the direction of our apartment once leaving the elevator if someone is behind you. I took it all the way, at all times. I would imagine myself in all kinds of troubles and how to get out. That is why I was neurotic sometimes, but that is what we need in Cybersecurity. To others, it may be paranoid. It is the right thing to do for a genuine security professional when working hard on your projects or systems you are responsible for. Last time I mentioned, the most important thing that makes a great Infosec expert is — A Security Mindset . Therefore, I would focus on this time. I learned that from my own experience. HOW this mindset is not something you are born with but can be taught This may not be much, but I hope by emphasizing the significance of the right mindset, more people would concede a high-security standard is not only the obligation of technical personnel but everyone in that organization/ system. Describing a security mindset generally is impossible to be practical at the same time. To handle that, I would like to I have experiences with: put your mind into 3 roles Security Engineer Security Consultant Security Architect If you are like me, you wear all these 3 hats. But you cannot be thinking like them all at once. Hence, I would like to state . the distinctions among all and the focus of each role Among the three, should be the most adopted one. Let’s talk about this one first. the security engineer’s mindset 1# Think like a Security Engineer With all the vulnerabilities out there, it is not that obvious for someone to find. It takes a totally different way of thinking. This kind of thinking is not natural for most people. It’s also not natural for IT or Engineers. Good engineering practices are to build things that work perfectly. Security Engineering practices, on the other hand, are to Security Engineers are different from IT engineers, at least the good ones, trying to All big tech company’s relies on this particular mindset. find things that make it fail. find what can go wrong instead of making it work. Bug Bounty Program I found it explained my mind from by security guru Bruce Schneier a blog post a long time ago (2008 ) : The lack of a security mindset explains a lot of bad security out there: voting machines, electronic payment cards, medical devices, ID cards, internet protocols. The designers are so busy making these systems work that they don’t stop to notice how they might fail or be made to fail, and then how those failures might be exploited. Teaching designers a security mindset will go a long way toward making future technological systems more secure. Think from the Other Side (Offense) Another way to think like a Security Engineer is to To explain this, I need to ask if anyone watched the famous film “ think like a Hacker. Catch me if you can . ” performed by Tom Hanks, is the role model of how to think like a hacker and finally caught (cast — Leonardo DiCaprio). If you want to protect thieves from the Jewelry store, you need to think about how someone can get in the store without notice. You don’t need to be a hacker to think like one. Infosec professionals don’t need to exploit the vulnerabilities they find, but In the movie, Carl Hanratty, Frank Abagnale Jr if they don’t see the world that way, they will never find any security problems. Key Point: Security Engineer finds out what can go wrong. 2# “New” is the New Black of security. there is a hacker attack on a computer with Internet access, according to On the other side, the cat is chasing the mouse with the best effort. , as a result, is an essential part of security management. Every 39 seconds, A Clark School study at the University of Maryland . Patch and Update is required to think with a growth mindset. , the international standard of Information Security Management System (ISMS), indicated Quality Assurance (QA) in production environments always talks about the Security Consultant ISO 27001 Plan-Do-Check-Act process (PDCA). is a pivotal aspect of the in attaining and maintaining the suitability, competence, and effectiveness of the information security related to the organizations’ objectives. There is a whole clause about Continual Improvement (10.2) in 27001. Continual improvement ISMS New applications, new technologies, new users… It should be understood that Like The Transformers, although Optimus Prime is always there to fight the new enemies, he always has new weapons or a new look. Security landscapes are always advance. What you just did flawlessly will be outdated one day. Therefore, an open, creative, and flexible mindset are unnegotiable. A periodic update and review should be put into consideration at all times. Key Point: Security Consultant review and maintain. 3# Think like a hacker is NOT enough. Thinking like a hacker helps you to build a better barrier. . , if you are aware, is another element of the full picture. But security is not only about offense and defense Security design Think about the limits In reality, everything has its limit, no matter it is money, time, hardware, software… , therefore, is the person responsible for considering the boundaries. The clearest distinction between being a great security architect from a security engineer is A security architect the boundaries. If you continually try to increase the security level of the system, it will not work. Why? It is because no one wants to go in and out to work in the maximum-security prison every day. That is why choosing between usability and protection in security design is a crucial process. When thinking about boundaries, the first thing to bear in mind is What is the target of protection? What is the goal we want to achieve by doing this control? The boundaries should be around the assets, not other places. the scope of protection. Before making the first move, think about what cannot be removed or something non-negotiable. For example, Anti-malware should be up-to-date on any active systems in the environment; The “any-any” firewall rules of “deny/block” should be put at last. The second boundary is the baseline. . With the first and second boundary considered, the architect should now have a clear purpose and what should be done first in mind. Therefore, prioritization now is possible. when something is being accepted or discarded. There is no free lunch, including security thinking. The last boundary is resource limitations Keep asking yourself, “What’s the catch?” Key Point: Security Architect make early decisions based on boundaries. Choose your Focus when wearing a different hat. Thank you for reading. While all of them are important, you should consider what situation you are in to think like what you are supposed to be at the right moment. And remember, be calm. A Security Engineer Mindset Attack and Defense: Finds out what can go wrong Think like a hacker A Security Consultant Mindset Review and Maintain the security landscapes: Understand nothing is fixed (a Continuous Improvement process) Apply Plan-Do-Check-Act A Security Architect Mindset Make decisions based on boundaries: Define scopes of protection Know and hold the baselines Find out the limitations. Happy reading and security thinking.