Quotes
Pieces of knowledge and tips that come from presentations given over the years (earliest from 2004). If you use any, please provide proper attribution.
Note: These quotes were compiled by former members of ACG and it's managed by them.
“Establish baselines. Look for anomalies. Have a plan.”
“Always ask: what can go wrong?”
“Create baselines. The mind needs those baselines to know what is “normal” in a situation, and what is “outside the norm” and ingenuity needs to kick in.”
“Control what you can control. Mindset is about embracing chaos and being comfortable there.”
“Training must mimic real life conditions as close as possible. Why? Because real life is not sterile, clean or dry. It is stressful and unpredictable, and that’s where you need to proactively prepare to thrive.”
“Ingenuity about problem solving often brings the right solutions. But ingenuity happens because you are trained to improvise and adapt to the situation unfolding in front of you.”
“It’s how you approach the situation that will dictate the outcome.”
“The only way to disrupt is to become capable.”
“It’s not what you say, it’s when and how you say it.”
“If it’s stupid but works, it isn’t stupid.”
“If you’re happy with your plan, you are not doing it right.”
“Competent security teams cannot be created after breaches occur.”
“The goal of a good security program can be summed up in one phrase: to make yourself as resilient as possible. The harder you are to kill, the longer you will last, and the easier it will be to recover from a real world attack.”
“The bad guys don’t obey our security policies.”
“Remember a simple fact: the bad actors ALWAYS have the advantage. They can choose when and where.”
“Always have a plan. Always have a back-up plan, because the first one probably won’t work. Always have an escape plan because all the rest of the plans will fail.”
“It’s what you don’t see that ultimately gets you. And you can’t know what you don’t see until someone makes you see it.”
“Disrupt that.”
“The most effective means of protecting yourself and your property is the liberal use of common sense reinforced with a high state of security awareness.”
“Act, don’t react.”
“When in doubt, red team it. It’s all about execution. If you fail to execute correctly, the rest was for nothing.”
“I have my target, and it’s an almost impossible target, and I am not changing it, and fuck if I care, I will try...”
“Life is like a box of shit, you always know what you’re gonna get... Invest in crappy security, and you will get crappy security.”
“The solution is in the problem. Work the problem.”
“Gesunder Menschenverstand?”
“Fuck that. Security is rolling your sleeves and working hard, and playing the politics of BS.”
“My policy is: 1. Rate managers by how well they enable other people to achieve things successfully. 2. Rate ICs by how well they think on their feet, recover from failure, and ultimately deliver the thing.”
“Security should be simplified. Security must be simplified. Security as it is today must be disrupted. Let’s start by looking at the complexity of solutions we have. What are we trying to solve? What are we trying to prevent? What are the adversaries doing and, are we focusing in the right places? Are we trying to solve the right problem?”
“The simpler our plans, policies, and processes are, the better the chances they will survive the real world, not only because simpler solutions are usually more resilient by nature, but they can be adapted if they don’t work, taking out things, or changing them until we hit the right one.”“360 degrees around. That’s where you should be looking at. Security needs to change. Reactive doesn’t cut it. Proactive doesn’t cut it if you don’t factor reality. Change your mindset and start developing the right capabilities.”
“You are fucked... And I don’t care...”
"Rule: use a password manager to create long and random passwords, never reuse passwords, always set a 2FA when available, and use passkeys when possible. The fact that I have to repeat this rule almost daily shows the state of security these days..."
"The point remains that the most important things we need to protect are data and identity. Data because it continues to be the main target of attacks, and identity because it continues to be the main vector of attack by which bad actors gain access to data."