I've seen this question in lots of places and it usually is answered with a few more or less specific technical answers. Like "apply updates regularly", "turn off services that aren't necessary" and so on. I would like to point out some completely different things that I think applies to everybody involved in security. They aren't necessarily the most important things, but I know they cause a lot of problems out there when done wrong.

• Never overestimate your own knowledge and capability or underestimate the need for knowledge. There are lots of things to learn for all of us, we all make mistakes, we all have more or less of a misbalance in the weight we put on various aspects of security. Make sure you work hard to have a proper balance - not overemphasize some things and underemphasize or completely leave out others. Learn enough so you *really* know what you're doing, learn at least some of what's "under the hood" of programs you use etc. Check what you have just done - or even better - have someone else check what you have just done. Don't just check from one point of view - for example, if you have made a configuration change then check that you did it correctly in itself, but also use some tool to make sure that the system actually works in the way you configured it to work. And never ever think that buying a security product can compensate for the lack of knowledge.
• If you work at a technical level, then learn to work against the main goals of your organization. In some way your security work should be focused on making it possible for those goals to be fulfilled, usually through a chain of sub-goals. If you apply too little security bad things will happen, but if you apply too much security, or at the wrong places, you will spend time and money that could be spent on better things. Maximum security everywhere is almost never a main goal in itself, but that is too often forgotten. Learn this and you will get more respect from management people. Then they will listen more to what you say about the technology needs.
• If you work at more of a management level, then learn never to underestimate the importance of details. No amounts of paperwork will make your systems and networks secure unless there is someone who is capable of performing, and actually performs, the final steps of securing them. Too many times I've heard people say the phrase "technology is the easy part, that's no problem", and ironically those people often have systems that look like swiss cheese - and they're not even aware of it (guess why). Learn this and you will get more respect from the technical people. Then they will listen more to what you say about the management needs.
• Never forget that if the users don't understand security or don't understand what you're trying to accomplish, then your security work often is of no use, or at least of much less use than it could be. Make sure that people understand *why* they should do things in a certain way and are forbidden to do it in other ways. That will make them so much more motivated than if they are just given a long list of "don't" points. Never make users feel afraid of you by making them feel bad about their mistakes or in any other way, because if you do, they'll never come back to ask you for help when they have some kind of trouble - which will only make things worse.

Based on your experiences, do you find proprietary software or open source software to be more secure?


Personally I try not to think that way at all. My view is that people really don't use software because it is secure - they use it because they have something they want done and the software helps them doing it. So the main thing is the functionality needed. Unfortunately, because some people will attack the software, we also need a proper level of security - but the main thing still is that people need software that can do the things they want done. If they have a need for either proprietary or open source software to fulfill those goals, then they should pick the one they need.