Let’s Unpack the 10 Immutable Laws of Security Administration

The '10 Immutable Laws of Security Administration' provides a solid foundation for IT practices. Here are thoughts about each law and how the laws help to protect organizations.

Brien Posey

July 18, 2022

8 Min Read
Let’s Unpack the 10 Immutable Laws of Security Administration

I recently discovered an article in which Microsoft outlines 10 immutable laws of security administration. Unlike similar lists of security rules and best practices, Microsoft's is really frank and tells it like it is. Although I think the author of the original article lays out the laws effectively, I want to share my thoughts about each one.


#1. Nobody believes anything bad can happen to them, until it does.

The first of the 10 immutable laws of security administration states that nobody believes anything bad can happen to them until it does. I tend to think of this one as being not just a law of security administration but of life in general.

We are all affected by normalcy bias and often believe nothing bad is going to happen. We see examples of this in everyday life all the time. Someone who sends text messages while they’re driving, for example, probably would not do so if they believed something bad would likely come of it.

From a security perspective, I tend to view this first law as a catalyst for procrastination. As IT pros, we generally know where the weak points are in our security, but we may not necessarily feel a sense of urgency to address them. After all, nothing bad has happened yet.

Even so, there is a strong likelihood that a security incident is going to eventually occur, so it makes sense to prioritize the remediation of any known security deficiencies.

#2. Security only works if the secure way also happens to be the easy way.

The second law is that security only works if the secure way also happens to be the easy way. As someone who has worked in IT for over 30 years, I can personally attest to just how true this law is.

End users typically view security as a thing that is “nice to have” but not necessarily essential. It makes sense: Users just want to be able to do their jobs with minimal friction.

This underscores the idea that users are generally happy to adhere to security best practices, so long as those best practices don’t impede productivity. The minute that security procedures cause users to become less efficient or require additional effort, users will inevitably begin to look for ways to circumvent those procedures to make life easier.

#3. If you don't keep up with security fixes, your network won't be yours for long.

Microsoft’s third rule is that if you don’t keep up with security fixes, your network won’t be yours for long. This rule is kind of a no-brainer, but that doesn’t make it any less relevant or important.

For a software company, there is a direct cost associated with developing and releasing patches. As such, no software company releases patches just for the sake of being able to say they have released them. Security patches exist as a way of addressing known vulnerabilities within the software.

The simple fact that a patch exists tells the hacker community that the vulnerability was significant enough to warrant patching. As a result, hackers will begin to figure out how to exploit the vulnerability and seek out unpatched systems.

All of this is to say that if you don’t apply the available security fixes, it is only a matter of time before your systems become compromised.

#4. It doesn't do much good to install security fixes on a computer that was never secured to begin with.

The fourth rule on the list is that it doesn’t do much good to install security fixes on a computer that was never secured to begin with. As previously mentioned, security patches are designed to address known vulnerabilities. However, security patches won’t stop a hacker if the system is configured in an unsecure manner. It’s much easier for an attacker to gain access via poor security configuration than it is to learn how to exploit a known vulnerability.

#5. Eternal vigilance is the price of security.

The fifth rule is that eternal vigilance is the price of security. This is a fancy way of saying that there is no such thing as “once secure, always secure.”

Things change over time: Vulnerabilities are discovered, security best practices evolve, and new software versions get adopted. Countless factors could cause a previously secure system to suddenly become unsecure. Therefore, IT pros must always be alert and keep up with the times.

As a way of driving this point home, let me give you a really ridiculous example. In 1989, I discovered a computer virus that had infected a Fortune 500 company’s network. A close relative of mine worked for the company, and I just happened to be visiting the office when I noticed some of the telltale signs of a viral infection. The software that I used to remove the infection was among the best antiviral tools at the time, and it did a great job of removing the virus.

Now, imagine what would happen if I tried to use that same tool from 1989 to get rid of a malware infection today. My security tool from the late ‘80s probably wouldn’t even load on a modern system. And even if it did, I guarantee it would be completely ineffective against a current malware variant.

The point is that just because you adopt a best-of-breed security tool does not mean that it will hack it forever. Even the preeminent security products and best practices eventually go stale, so it is critical to change with the times.

#6. There really is someone out there trying to guess your passwords.

The sixth immutable law of security administration is that there really is someone out there who is trying to guess your passwords. It’s easy for small organizations to dismiss this particular law by saying they are a small fish in a big pond. They may believe that cybercriminals are far more likely to go after better-known targets.

Most credential theft attempts are automated and indiscriminate, however. Phishing messages that seek to steal user credentials may be sent to millions of email addresses with no regard for organization size.

Furthermore, even if cybercriminals value some credentials over others, the data seems to suggest that all credentials -- from large and small organizations alike, as well as from individuals -- get stolen.

#7. The most secure network is a well-administered one.

The seventh law on Microsoft’s list is that the most secure network is a well-administered one. There are a couple of things that immediately come to mind with this rule.

First, there is a cybersecurity best practice that essentially states that you can’t secure what you can’t manage. Administration is all about management, and if a resource is not being properly administered, it’s probably not secure either.

The other, much bigger idea is that sloppy administration has poor security as an inevitable byproduct. Think about Active Directory group management as an example. An organization that does not prioritize group maintenance is going to have groups that contain users who should no longer be group members. Those users will undoubtedly have access to things they shouldn’t. Conversely, an organization that regularly audits group memberships is far less likely to have users with excessive permissions.

#8. The difficulty of defending a network is directly proportional to its complexity.

The eighth law states that the difficulty of defending a network is directly proportional to its complexity. This law really comes down to attack surface. The more sprawling and complex a network is, the larger its attack surface and the greater the chance the network contains an exploitable security vulnerability.

Similarly, a complex network tends to be harder to monitor than a simple one, which can make it far more difficult to detect an impending security breach.

#9. Security isn't about risk avoidance; it's about risk management.

Security is about risk management rather than risk avoidance, the ninth law states. There is a lot more to this law than meets the eye, and I’ll probably dedicate an entire article to it at some point. However, for right now, let’s look at the basics.

What this law is really saying is that it’s impossible to avoid all risks. There are always going to be security risks associated with any network. You can easily address some of those risks, but there are other risks that you probably can’t do anything about.

Likewise, some risks represent a serious threat to an organization’s security, while other risks are unlikely to ever manifest.

This is where risk management comes into play. Risk management is all about identifying the risks that an organization faces, then prioritizing those risk based on consequence and likelihood.

#10. Technology is not a panacea.

The final law on the list is the simple statement that technology is not a panacea. There are several different ways that you could conceivably look at this law, but I tend to think of it like this: You cannot expect technology to solve all your security problems for you.

In fact, the opposite can be true. When you add a new security product, you actually increase the potential attack surface of your network. Yes, security software is designed to keep you secure, but there is always the chance that the software contains an exploitable vulnerability.

About the Author(s)

Brien Posey

Brien Posey is a bestselling technology author, a speaker, and a 20X Microsoft MVP. In addition to his ongoing work in IT, Posey has spent the last several years training as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.


Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like