Unearthing Cybersecurity First Principles with Rick Howard
Hello and welcome cybersecurity enthusiasts! We had an invigorating discussion with Rick Howard during the latest episode of CISO Tradecraft. Rick Howard is a renowned cybersecurity leader and author of the gripping book "Cybersecurity First Principles: A Reboot of Strategy and Tactics."
# Planning Cybersecurity Strategies with First Principles
Our discussion dove into Rick's philosophies about cybersecurity and the insightful concepts expounded in his book. Note you can purchase Rick’s Book Here. One of the intriguing aspects we discussed were the "First Principles" of cybersecurity. Normally, when we speak about the basics of cybersecurity, the conversation steers towards concepts such as confidentiality, integrity, and availability. However, Rick Howard presents a divergent line of thought that emphasizes the essence of our goals in cybersecurity.
The crux of this approach is to maintain a narrow focus on reducing the probability of significant impact due to a cyber event over a definitive timeframe, say three years. This methodology proves time-bound and specific, thus offering a clear direction for cybersecurity leaders.
# Materiality and Risk in Cybersecurity
Material impact becomes a significant discussion point in this context. Especially with the recent Securities and Exchange Commission's (SEC) rules coming into play, comprehending materiality becomes a pivotal aspect. However, what's crucial to highlight here is that the Chief Information Security Officers (CISOs) have to incline more towards the company's senior leadership's understanding of materiality. Once that definition is clear, cybersecurity leaders can quantify the risk and potential dollar loss related to it.
# Understanding Probability and Risk Management
Another striking concept Rick brought up was about calculating probabilities. The common notion is that probability calculations require high-end math and precision. However, Rick disputes this. He emphasizes that a ballpark number or a reasonable estimate is adequate for the management to make decisions about allocating resources or accepting the risk.
Referring to Fermi estimates – smart guesses that get you into the ballpark of a solution – and Bayes algorithm – an iterative process of updating estimates based on new information – Rick believes that CISOs can adopt these mathematical principles to reasonably estimate cybersecurity risk and make informed decisions. To learn more about Fermi estimates we recommend reading this article here.
# Bayes Algorithm, Fermi Estimates, and Super Forecasting
Drawing parallels from his book Super Forecasting, Rick explains that certain groups of people, namely super forecasters, could predict outcomes more accurately than others. These people were not necessarily using high-order math but taking smart guesses based on experience and continually refining their estimates.
By emulating this approach, Rick believes that CISOs can better assess the risk of significant cybersecurity events without needing absolute precision. They can provide the management with a ballpark estimate – a "good enough" answer – that can assist them in risk management decision-making.
# Final Thoughts
Taking an outside-in and inside-out approach can be revolutionary for cybersecurity management. Understanding the broader business landscape and the unique risks inherent in your organization allows you to create informed and effective strategies.
Rick Howard's insights provide a refreshing perspective on cybersecurity first principles. His experiences emphasize the importance of clear definitions, understanding business goals, and using intelligent estimation in risk management. As cybersecurity professionals, adopting these principles can equip us better for the evolving cybersecurity landscape.
Our discussion with Rick underscored the significance of not just cybersecurity but the comprehension of business, risk, and probability in curating effective cybersecurity strategies. It's not just about knowing all the acronyms and technical details; it's about communicating those to the business in a language they understand and value.
So, keep these points in mind as you step into your next cybersecurity strategy meeting. Take a step back, look at the big picture, and focus on reducing the probability of a material cyber event in the near future.