The Rule of Two

The group I work with has a simple rule that pays off in spades.

Any time a security recommendation is made, we check it against another team member. Thus, any decision follows our rule of two. The second person's job is to play the devil's advocate and to check for assumptions, mistakes, and to provide a second viewpoint on the recommendation.

Often we take into account the other team members' history and other specialties to best choose the person to look at our recommendation. That allows us to make sure we're not missing out on crucial tidbits of institutional knowledge or expertise.

The rule of two also gives us better depth - while a documented recommendation is made and archived, having two people who know about it on staff means that more people will actually remember the recommendation and know what it was and why it was made. With the shades of grey approach that security often has to take to make business work, that knowledge can be critical.