Cybersecurity First Principles: A Reboot of Strategy and Tactics
Book written by Rick Howard
Book review by Helen Patton
Bottom Line: I recommend this nonfiction book for the Cybersecurity Hall of Fame.
In the spirit of full transparency, the reader of this review should know that I consider Rick Howard to be a mentor and friend, and we have worked together on the Cybersecurity Canon for several years. Regardless of my personal connection, I am excited to recommend Rick’s book Cybersecurity First Principles as a candidate for the Cybersecurity Canon Hall of Fame. To qualify as a hall of fame candidate, a book must be timeless, apply to everyone in the cybersecurity profession, and share wisdom that a cyber professional requires for their career. Rick’s book does these things with clarity and an abiding respect for the industry.
Cybersecurity First Principles is written for a “broad swath” of cybersecurity professionals, focused on three groups: security executives who have long worked in the industry, who may need to reset their thinking about how they work; people new to the field, who need a foundation on which to build their understanding of cybersecurity; and teachers who can use First Principles as a basis for their curriculum. In other words, this book is written for everyone in cybersecurity, or who wants to know more about cybersecurity.
The purpose of this book is to identify the “first principles” of cybersecurity, so that we can course-correct how the industry approaches cybersecurity, and to abandon practices that are misguided or damaging. The author spends his first chapter giving an interesting and detailed history of how we’ve previously thought about this topic (the references here are well worth a read in their own right). He describes “first principles” this way:
“First principles in a designated problem space are so fundamental as to be self-evident; so elementary that no expert in the field can argue against them; so crucial to our understanding that without them, the infrastructure that holds our accepted best practice disintegrates like sand castles against the watery tide. They are atomic. Experts use them like building blocks to derive everything else that is known in the problem domain. All new knowledge gained in the problem domain is dependent on our previously developed first principles.”
The author notes that the cybersecurity profession has lost its way: “…we keep adding on to the pile of things we’re already done with no thought about whether our previous assumptions were correct” and “if the community can’t agree on what we are trying to do as a group, it’s time to get back to first principles.” By the end of chapter one, he has suggested a cybersecurity first principle “reduce the probability of material impact due to a cyber event in the next three years”.
The remainder of the book goes on to suggest strategies and tactics that drive down material impact over a discrete amount of time. The author proposes five sub-strategies, with accompanying tactics, built on the first principle, that will help any organization to build a defensible security program:
- Passive Cyber Hygiene (Zero Trust)
- Active Defenses (Intrusion Kill Chain Prevention)
- Risk Forecasting
Anyone who has read a lot of cybersecurity books might be unimpressed with the outline I describe above. There are lots of books about zero trust, or resilience, or any of the five strategies included in this book.
What makes this book Hall of Fame-worthy is that the author takes these timeless, complicated topics and distills them to their most simple purpose, then weaves them together to show how each relates to another, and then gives useful tactics of how to implement each of them – all while adhering to his core thesis of first principles. For example, in the section on risk forecasting, the author acknowledges the industry problems with forecasting probabilities (too much math! too many assets! too much change!) and THEN goes on to give a solution to the problem, with examples (superforecasting plus Fermi estimates plus Bayes’ rule) that are achievable for any size organization with any level of security maturity.
Cybersecurity First Principles is a book that is well organized, easy to understand, and full of real life experiences. But don’t let the simplicity of it fool you. In order to write this book the author needed to have years of professional experience and a deep knowledge of the history of the industry in order to bring these concepts together.
In writing this book, Rick Howard gives the security industry a gift: a guide to managing a cybersecurity program in a defensible, pragmatic and meaningful way. Along the way, he provides a wealth of further resources that readers can use to deepen their knowledge of any of these topics, to be used by students of the profession regardless of their seniority within it. I recommend this book for the Cybersecurity Canon Hall of Fame.