Building Information Security Program from Scratch

Intro
Take every opportunity you get to learn new things, but stay away from the dark side.
Kids should learn to code at an early age. We need to be teaching them morals and ethics from the start. Secure development needs to be a part of every curriculum and reflected in grading
Courtesy of NBU) It takes a really shitty manager to show you the traits that make a really good one.
Courtesy of Bearing Point) When the shit-storm hits and your manager holds an umbrella over your head, the poo still needs to land somewhere.
Courtesy of KITS) Military contracts don't care about
Courtesy of LoopOne) "IT Manager" when you have nobody to manage is another way to say "scapegoat".
When opportunity comes knocking, don't just stand there...open the damn door!
You can talk all you want about improvements, but it doesn't mean s#!t if you can't prove it with metrics. Metrics! Metrics! Metrics!
All the knowledge in your head is worthless until you use it to help others.
Compliance and security go hand-in- hand. Use it as an opportunity to educate. Be the carrot, not the stick.
Ask about their requirements before you start talking about security.
When evaluating security issues, risk management is how we help to justify what to work on first.
Risk management is how we communicate technical security issues with the business and executives.
Once you develop an appetite for security, the hunger will grow and people will want more information sooner.
Hire people that eat, sleep, and breathe security. They're the ones who are in it because they love it, not because it's a means to a paycheck.
InfoSec is fun. Be passionate about what you do. Show others your passion and they will share in it with you.