Edward Luck

I am an Information Security Consultant/Analyst with a background in Network and Security Controls architecture and operations, but today I use Risk as my tool of choice. There are few people who enjoy working with Risk, and even fewer who would also call themselves technical. I'm one of them.

When I'm blindly told something should be done for the sake of security, I always ask: Why?

Many of the standards you are told to follow are based on an assumption of certainty, and are written in a vacuum which ignores the unique position of each business. Know that in Information Security there is no certainty, there is only Risk. How high or low the risk is, and how much risk your clients are willing to take differs every single time.

As a security professional, you should ask yourself one very simple question: am I implementing controls for my clients because I know they are the right choice, or because that's what everybody else does?

The true security consultant will confidently know that their advice is the best way of managing the threats their client faces. This advice may go against what is commonly perceived to be "Best Practice", but they will know that their guidance is based on measured and accurate data.