Ben's Book of the Month: Cybersecurity First Principles: A Reboot of Strategy and Tactics

Posted on by Ben Rothke

Compulsories were a key, albeit tedious and unexciting part of figure skating. Fun fact: that’s why it’s called figure skating. In 1990, the International Skating Union (ISU) voted to discontinue compulsories as part of competitions, much to the happiness of a lot of TV viewers. The function of compulsories was meant to show that the skaters had the necessary discipline and capabilities.

Regarding information security, too many firms opt to use the latest tools or those up and to the right on a Gartner Magic Quadrant. These security solutions often become expensive but useless appliances in their data centers when they don’t work out as planned. These firms got caught up in the security hype without first considering the fundamentals and compulsories of information security. 

Those firms have gotten caught up in the security hamster wheel of pain. This concept was created in 2005 by Andy Jaquith and showed how difficult it is to do security right. So how can a company escape from this perpetual security hamster wheel of pain?

That is precisely what author Rick Howard helps the reader do in Cybersecurity First Principles: A Reboot of Strategy and Tactics (Wiley). Full disclosure: Rick is a friend and the founder of the Cybersecurity Canon, which I am a member of. 

So does information security really need a reboot? Howard thinks so, and here, he expands on his notion of first principles, which are the fundamental truths that serve as a foundation for building an information security program. This is not really a novel idea, as they are essential to every discipline, from engineering, mathematics, medicine, and more. 

Howard writes from a position of deep technical and business experience. He spent nearly 30 years in the United States Army, which plays a prominent role in the book via numerous vignettes. He then entered the private sector and had senior roles at Palo Alto Networks, VeriSign, and Counterpane. 

First principles can also be seen as a trajectory. The path of direction ultimately determines where an object will go. And the longer something travels, the more difficult it is to compensate for mistakes in the initial trajectory. That is why developing a security program on these principles is so essential. 

A key point the book makes is that for the pursuit of cybersecurity first principles to be effective; network defenders must have a centralized point (physical or virtual) where they bring in relevant information from all corners of the cybersecurity first principle space, which is where a SOC (security operations center) comes in. 

The book also goes through a lot of the history and overall fundamentals of information security. Howard also detailed the many security programs and initiatives, from the MITRE ATT&CK Framework, kill chain strategies, NIST, and more. 

The author makes it eminently clear that he is not advocating that all network defenders should deploy all of these first principle strategies and tactics in equal measure. This is obvious as every organization is different.

But the many principles and strategies the book details, all have the potential to reduce the probability (and Rick Howard is a big fan, I mean huge fan, or probability and statistics) of material impact due to a cyber event. And that is the function of these principles, to give you the tools to design, build and improve your cybersecurity program in order to reduce the probability of material impact. 

Some products and books claim to show how you can very quickly come up to speed on information security in a few pages. If that is what you want, this is not your book. Here, Howard takes a mature approach and lays out the details of what is needed on which to build a comprehensive enterprise information security program. 

While he has a solid technical background, the author details the concepts in a way that educates the reader rather than confuses them with concepts. That is especially true regarding zero trust, which plays a prominent role in the book. Howard can explain these security principles, such that readers at all levels can understand them.

While not primarily an introductory text on the topic, those looking to get a solid introduction to information security and risk management will find an excellent reference here. 

While figure skating once had its compulsories, meant to demonstrate proficiency and expertise, information still has them. In this case, they are called first principles. Those who take information security and risk seriously should acquaint themselves with these principles. And there’s no better place to do that than with this book.

Ben Rothke

Senior Information Security Manager, Tapad

Security Strategy & Architecture

security operations network security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs