Skip to main content

Cybersecurity First Principles: A Reboot of Strategy and Tactics

This is a gray book cover with the title "Cybersecurity First Principles: A Reboot of Strategy and Tactics" in the middle.

Book written by Rick Howard

Book review by Aleksandra Scalco, Ph.D. 

Bottom Line

I recommend this book for the Cybersecurity Canon Hall of Fame.

Review

I am always on the lookout for ways to better explain the term “cyber” and how to better implement what we call “cybersecurity.” Reading my way into the new year, I found a phenomenal book that lays down how to think about “cyber” and “cybersecurity.” I was blown away by a book called “Cybersecurity First Principles: A Reboot of Strategy and Tactics,” by Rick Howard. [1] I first met Rick Howard at one of his speaking engagements a few years ago. He caught my attention then with his comment that we shouldn’t be talking about making the Internet “safer” – We need to be talking about making it “safe.” Now, there is a clear vision. So, of course, when Rick Howard published this book in late 2023, I had to read it.

Rick Howard doesn’t disappoint. Cyber is a complicated subject to get your head around. Howard writes in the clearest style that only someone with his cybersecurity depth of knowledge and experience can convey. He gives us a fresh perspective on how to think about “cybersecurity” to really gain a deeper understanding. The book gets a lot of praise for capturing his knowledge and doing it so well. The reasoning may not be immediately obvious to all, but Howard masterfully takes the time to explain the ideas and genesis behind “first principles” without limiting the readers’ creativity in the process. For anyone tired of repeated material, this is more than just another rote book, generally repeating information about the subject. His book goes into detail with lots of historical references. I am genuinely excited about the creative, lateral thinking approach Howard takes to explain how to solve complex cyberspace problems without limitations imposed by established rationales. If “cyber” is one of the more misunderstood terms, then author Rick Howard has responded. [2] Written in the most compelling style, Howard convincingly illustrates how to build your cybersecurity program with the persistence and patience of a seasoned technical leader. This book explains how to come to terms with cyber in your corporate strategy and how to put tactics into place to allow “cyber” to be used for the good of your operational mission. He does what he says in the title, which is to deliver “Cybersecurity First Principles.”

I spend a lot of time speaking with people about research and development of cybersecurity initiatives and how to navigate implementing these cybersecurity initiatives, such as Zero Trust strategies into operations (without forklifting the entire network, throwing everything out, and starting over). John Kindervag first gave the community a sense of the new information security model. [3] The Department of Defense (DoD), Joint Defense Information Systems Agency (DISA), and the National Security Agency (NSA) later published a Zero Trust Reference Architecture leading the community to implementation. [4] Howard shares how to take Command of implementation. He is a widely recognized cybersecurity technical expert with decades of experience at the pinnacle of leadership in commercial companies and government, and he is ready to bring you along with him to a better future for everyone. Better than anyone before, Howard tells you how to think like a cybersecurity technical expert and then walks you through how to be a “First Principle” thinker yourself. I like that the book pries open the cyber domain mysteries, decomposing principles into the most basic, foundational, functional form, and then takes you through what resilience, probability, and risk forecasting mean when you look through a “First Principle” lens. Technological advancements in computing are moving at lightning speed, creating a world more interconnected than ever, and with these advancements comes responsibility and accountability for all the activities and decision-making undertaken in an organization regarding cyber and cybersecurity implications set against all the work roles. It is an ongoing challenge to persuade and influence people with conflicting interests and equities to move in the same direction or take a recommended course of action. This book offers how to take command of coordinating an organization’s network defense and network operations. Better yet – the book is a great way to better explain the term “cyber” and ensure everyone in the organization can understand what today and the future may look like if everyone understands what’s going on. The book is going to teach your team to think about cybersecurity differently, not just go through the motions of checklists, to a more sophisticated level. The book offers a summary of decision-making for cybersecurity. Then, the book provides insight into what a technical leader does and how to do it (think strategy and tactics). No one gets away with not understanding how to get to the inner mechanics of Zero Trust, Intrusion Kill Chain, resilience, and risk forecasting after reading this book.

Commander’s Intent

Tons of praise for this book. It feels like we all sort of knew there was a gap in how to find answers to cyber problems. Howard masterfully brings us his expertise with many examples we can use to find answers. This book is a must-read for all cybersecurity professionals, but anyone working today needs to read it. Do you work today in a field that does not touch the Internet? You may think you do not need to know the book's contents in your field, but then tell me what field that is. This read offers a rational, straightforward method to think through an organizational “cyber” posture. The book is useful for both the public and private sectors. Howard describes the big picture to the troops. His situational analysis covers a wide breadth of research on the subject, from philosophers to mathematicians, in an interesting and sometimes humorous way. He does a wonderful job explaining how we got to where we are today, points you where to find additional information, and, like a true leader, lays out a roadmap to help you find your way on your own without complication—literally, in a map figure, “Figure 1 Cybersecurity first principles road map.” No secrets are held back here. Understanding how intelligence sharing fits with Red/Blue Team operations or how someone can use the Zero Trust strategy (note Zero Trust is a strategy, not a thing, nor a tactic, it is a strategy) can be used to get after the “first principles” along with other corporate strategies such as risk forecasting is all here in a relatively short read. The Commander's intent is laid out in a way that someone in the C-Suite and at several organizational levels of the issuing Commander can understand. This book will help you articulate what a safe cyber posture will look like in its best state (not an end state). The contents will help to empower an organization as strategies and tactics are implemented and adapted to a changing environment. The point is that cybersecurity is a learnable skill.

Making Key Decisions

The content is evergreen. It is for anyone responsible for developing and implementing a cybersecurity strategy and anyone who has to follow one. The book points to the need to rethink cybersecurity and understand the limits of cybersecurity approaches. The discussion of how to build a secure system and what that means will be around for a while. The book presents a new way of thinking about computing in a military commander’s way. It is about the essence of “cybersecurity.” A technical leader recognizes the usefulness and limits of structured frameworks and processes such as the U.S. National Institute of Standards and Technology’s (NIST) 2018 “Framework for Improving Critical Infrastructure Cybersecurity” (updated from the original 2014 version) or cybersecurity compliance standards. [3] Bureaucratic logic approaches can lead to mechanical behavior when left unattended, which limits the necessary functions of key decision-making related to cyber. This river looks too wild and wide to cross as you have always done with rivers in the past. But wait – there is possibly a bridge that can be used to achieve the same goal – getting to the other side. That is using a new way of thinking. Howard connects the dots in a new way that no one has noticed before. Instead of following established steps and rote memorization of security controls, perhaps we as a community need to think about cybersecurity differently. As the adage goes, “the rising tide raises all ships.” Compliance standards and frameworks help put controls in place, but we still need problem solvers to turn the tide to defeat common threats in cyberspace. 

Conclusion

This book makes an important contribution to our understanding of cybersecurity. I started by saying that I am always looking for ways to describe “cyber” and “cybersecurity” to support conversations about cybersecurity and research on emerging engineering technologies. This book sets a high standard with an answer that sometimes the obvious solutions may not be the right solutions. Getting to the origins of the term “cyber” is traceable to system and organizational theory, “cybernetics,” which is derived from the Greek “kubernetes,” meaning to pilot or steer. Related to kubernetes is “kubernesis,” which may be translated as the gift of administration or governance. Howard shares his gift with us. It is the idea that there is a leader who guides a group toward a common goal. First principles ensure everyone in an organization understands the mission and the vision of how that mission will be executed (administered or governed). In return, technical leaders and decision-makers can work with each other better to implement cybersecurity strategies and resolve technical issues. Rick Howard does not disappoint. This book is part of his effort to make the community safer. Howard has not steered far from his military roots as a 23-year U.S. Army veteran and Commander of the U.S. Army’s Computer Emergency Response Team (ACERT) by writing a book that uses judgment and experience (sometimes intuition) to better understand organizational cybersecurity posture. The term “cybersecurity” can be so abstract. Emerging policies, doctrines, and strategies such as Zero Trust can be equally abstract, making developing, acquiring, testing, and evaluating technologies, processes, methods, and training even more complicated. Decomposing cybersecurity into First Principles leads us to a new way of framing and thinking about cyber. The second half of the book prescribes insight into decision-making related to the effective implementation of strategies and tactics. It takes creative thinking and challenging our own assumptions that might otherwise get in the way of our cybersecurity operations before the answers become clear. “Cybersecurity First Principles: Reboot of Strategy and Tactics” is the perfect, enduring book to help our community make needed improvements. It would be best if you started with the right assumptions to find a better way to address the foundational rules. This book offers a way to guide us toward a common cybersecurity goal I heard Howard preach many years ago—to paraphrase him, ‘Let’s make the Internet safe.’ What an idea! The book is a must-read and certainly worth it. This book is for anyone in the cybersecurity profession, C-Suite leaders accountable for corporate mission results, and as an Adjunct Faculty member leading undergraduates on their cybersecurity learning journey, I can see Howard’s book being used as course reading.

 

Sources

[1] Howard, R. (2023). Cybersecurity First Principles: A Reboot of Strategy and Tactics. Hoboken, New Jersey: John Wiley and Sons.

[2] Schwab, W., & Poujol, M. (2018). The State of Industrial Cybersecurity 2018. In K. Lab (Ed.), (pp. 33). Munich, Germany: CXP Group. 

[3] John Kindervag, S. B., Kelley Mak, and Josh Blackborow. (2016). No More Chewy Centers: The Zero Trust Model Of Information Security. In Vision: The Security Architecture And Operations Playbook. Forrester: Forrester.

https://crystaltechnologies.com/wp-content/uploads/2017/12/forrester-zero-trust-model-information-security.pdf 

[4] (DISA), D. I. S. A., & (NSA), N. S. A. (2021). Department of Defense (DOD) Zero Trust Reference Architecture. Department of Defense Retrieved from 

https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf

[5] NIST. (2014). Framework for Improving Critical Infrastructure Cybersecurity. In: NIST.