Good, though short, write up. In particular note Cisco’s five security principles state that security must:
- support the business;
- work with existing architecture and be usable;
- be transparent and informative;
- enable visibility and appropriate action;
- be viewed as a people problem.
IMO the most important take-aways are 1) resilience needs to be at least as important as system hardening, and 2) it’s a people problem, from the Board all the way down to the individual end-users. As I’ve said before, often now the human gets hacked (ie, spear phishing) before the computer system does.