What do you think?
Rate this book
Cybersecurity First Principles: A Reboot of Strategy and Tactics
The first expert discussion of the foundations of cybersecurity
In Cybersecurity First Principles, Rick Howard, the Chief Security Officer, Chief Analyst, and Senior fellow at The Cyberwire, challenges the conventional wisdom of current cybersecurity best practices, strategy, and tactics and makes the case that the profession needs to get back to first principles. The author convincingly lays out the arguments for the absolute cybersecurity first principle and then discusses the strategies and tactics required to achieve it.
In the book, you'll
Infosec history from the 1960s until the early 2020s and why it has largely failed What the infosec community should be trying to achieve instead The arguments for the absolute and atomic cybersecurity first principle The strategies and tactics to adopt that will have the greatest impact in pursuing the ultimate first principle Case studies through a first principle lens of the 2015 OPM hack, the 2016 DNC Hack, the 2019 Colonial Pipeline hack, and the Netflix Chaos Monkey resilience program A top to bottom explanation of how to calculate cyber risk for two different kinds of companies This book is perfect for cybersecurity professionals at all business executives and senior security professionals, mid-level practitioner veterans, newbies coming out of school as well as career-changers seeking better career opportunities, teachers, and students.
In Cybersecurity First Principles, Rick Howard, the Chief Security Officer, Chief Analyst, and Senior fellow at The Cyberwire, challenges the conventional wisdom of current cybersecurity best practices, strategy, and tactics and makes the case that the profession needs to get back to first principles. The author convincingly lays out the arguments for the absolute cybersecurity first principle and then discusses the strategies and tactics required to achieve it.
In the book, you'll
Infosec history from the 1960s until the early 2020s and why it has largely failed What the infosec community should be trying to achieve instead The arguments for the absolute and atomic cybersecurity first principle The strategies and tactics to adopt that will have the greatest impact in pursuing the ultimate first principle Case studies through a first principle lens of the 2015 OPM hack, the 2016 DNC Hack, the 2019 Colonial Pipeline hack, and the Netflix Chaos Monkey resilience program A top to bottom explanation of how to calculate cyber risk for two different kinds of companies This book is perfect for cybersecurity professionals at all business executives and senior security professionals, mid-level practitioner veterans, newbies coming out of school as well as career-changers seeking better career opportunities, teachers, and students.
- GenresAudiobook
382 pages, Kindle Edition
Published April 19, 2023
73 people are currently reading
166 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 8 of 8 reviews
September 5, 2023
Refining the classic risk formula, Rick Howard offers a first principles based framework for cybersecurity developed with well-thought tactics and strategies. For the executives, this could be a great guide to align their business with strategies proposed here such as zero trust, resilience, intrusion kill chain, automation and risk forecasting. For the managers, this could be the project plan to align their team’s tactics with the first principles strategies. For the bricklayers or analysts, this could help to see the foundations that the cathedral being built on with all the tools and processes. In any case, it is a must read for any practitioner in cybersecurity. It is also a much better read than any other in cybersecurity as it has references from Russell and Whitehead’s Principia Mathematica to Cliff Stoll’s Cuckoo’s Egg to Neal Stephenson’s Cryptomonicon and to Alan Turing, along with war stories from Army CIO to Pentagon to RSA to Mandiant… Rick even brings in wisdom from Gandolf the Grey or Obi-Wan Kenobi to the table:) All in all a great read putting everything in cybersecurity into right context, and a call to sanity to bring a method to current madness. Highly recommended!
PS> The author is a GoodReads friend and I met him in person couple of years ago when he was with Palo Alto Networks. I haven’t been in touch since then but tracked his podcasts on the CyberWire. Having said that this is not an ARC or giveaway review, and opinions expressed are solely mine.
PS> The author is a GoodReads friend and I met him in person couple of years ago when he was with Palo Alto Networks. I haven’t been in touch since then but tracked his podcasts on the CyberWire. Having said that this is not an ARC or giveaway review, and opinions expressed are solely mine.
May 15, 2023
Everyone in cybersecurity wants to be Rick Howard when they grow up and this sentiment will only grow stronger after reading his latest book, Cybersecurity First Principles: A Reboot of Strategy and Tactics. Rick has been talking about applying first principle thinking to cybersecurity for many years now, and he masterfully fleshed out the concept in season 1 of his must-listen-too podcast, CSO Perspectives. This book builds on that work and expands it considerably, fills in some gaps, adds significant context and tosses in an entire brief history of cybersecurity at no additional charge.
The genius of Rick's work lies in his ability to distill complex ideas into their simplest forms. He applies first principle thinking to identify the core purpose of cybersecurity, which he calls his atomic first principle: "reduce the probability of material impact to your organization due to a cyber event over a finite set of time", which is printed and displayed with prominence and reverence in my office.
Rick’s thesis for this book rejects the notion that cybersecurity is somehow different from all other problems in the world and that it is so unique it can't be solved. I find this truly impactful as it begins with the assumption of a successful outcome as it’s foundation. He then methodically lays brick upon brick to provide a comprehensive and more importantly practical framework for discussing, communicating, and tackling the challenges organizations face regarding cybersecurity.
This book is not just for cybersecurity professionals; it is a foundational text that is also ideal for business decision-makers, security vendors, teachers, students, aspiring cybersecurity professionals and even industry recruiters looking to better understand the security landscape and how it all fits in together.
At the very least, you need to ensure that your leadership team and board members read Chapter 2: Strategies, which serves as an executive summary of the book and can provide invaluable insights for them that will make your job and life easier. Chances are that if they do, they'll be inspired to read the entire book or at the very least selectively explore other chapters.
One of the book's many strengths is Rick's ability to make the content accessible and engaging through humour. Rather than a deeply technical discussion of Identity Management for Zero trust he explains that all you really want to know is that “Abigail the level 20 chaotic neutral Tiefling warlock is Rick Howard not a Russian influence operation”. It is these throwaway lines that both endear him to his fans with his geekiness and that keeps the non-technical readers interested in what would otherwise be some pretty dry subjects. He also includes a great deal of empathy and reassures the reader with quick quips such as "don't worry if this all sounds confusing. It is." Throughout the book, Rick also shares “war stories” from his career that offer glimpses into his own growth as a security professional and his unique character which makes the book read almost like a mentoring session and not at all like a lecture.
Even though it may sound like a philosophy book initially, it is far from that. While Rick includes a full and detailed roadmap tying his work back to Aristotle's concept of first principles, in doing so, he challenges the outdated and disparate thinking that has thwarted our industry's collective best efforts to protect our organizations from threat actors and presents his atomic first principle as a viable solution to the cybersecurity problem. By rejecting the idea that cybersecurity is a unique, unsolvable problem, Rick encourages us to return to first principles and reassess our approach. His engaging writing style, comprehensive framework, unique insights and authentic voice make this book an invaluable resource for professionals, novices and aspiring defenders alike.
The genius of Rick's work lies in his ability to distill complex ideas into their simplest forms. He applies first principle thinking to identify the core purpose of cybersecurity, which he calls his atomic first principle: "reduce the probability of material impact to your organization due to a cyber event over a finite set of time", which is printed and displayed with prominence and reverence in my office.
Rick’s thesis for this book rejects the notion that cybersecurity is somehow different from all other problems in the world and that it is so unique it can't be solved. I find this truly impactful as it begins with the assumption of a successful outcome as it’s foundation. He then methodically lays brick upon brick to provide a comprehensive and more importantly practical framework for discussing, communicating, and tackling the challenges organizations face regarding cybersecurity.
This book is not just for cybersecurity professionals; it is a foundational text that is also ideal for business decision-makers, security vendors, teachers, students, aspiring cybersecurity professionals and even industry recruiters looking to better understand the security landscape and how it all fits in together.
At the very least, you need to ensure that your leadership team and board members read Chapter 2: Strategies, which serves as an executive summary of the book and can provide invaluable insights for them that will make your job and life easier. Chances are that if they do, they'll be inspired to read the entire book or at the very least selectively explore other chapters.
One of the book's many strengths is Rick's ability to make the content accessible and engaging through humour. Rather than a deeply technical discussion of Identity Management for Zero trust he explains that all you really want to know is that “Abigail the level 20 chaotic neutral Tiefling warlock is Rick Howard not a Russian influence operation”. It is these throwaway lines that both endear him to his fans with his geekiness and that keeps the non-technical readers interested in what would otherwise be some pretty dry subjects. He also includes a great deal of empathy and reassures the reader with quick quips such as "don't worry if this all sounds confusing. It is." Throughout the book, Rick also shares “war stories” from his career that offer glimpses into his own growth as a security professional and his unique character which makes the book read almost like a mentoring session and not at all like a lecture.
Even though it may sound like a philosophy book initially, it is far from that. While Rick includes a full and detailed roadmap tying his work back to Aristotle's concept of first principles, in doing so, he challenges the outdated and disparate thinking that has thwarted our industry's collective best efforts to protect our organizations from threat actors and presents his atomic first principle as a viable solution to the cybersecurity problem. By rejecting the idea that cybersecurity is a unique, unsolvable problem, Rick encourages us to return to first principles and reassess our approach. His engaging writing style, comprehensive framework, unique insights and authentic voice make this book an invaluable resource for professionals, novices and aspiring defenders alike.
June 9, 2023
The risk assessment chapter was fantastic. A new way of thinking about that. HIPAA was misspelled dozens of times in the automation chapter which I found distracting.
November 28, 2023
"Cybersecurity First Principles" by Rick Howard, who serves as the Chief Security Officer, Chief Analyst, and Senior Fellow at The Cyberwire, looks to redefine the traditional mindset underlying cyber security processes, strategies, and methods. Howard strives to illuminate the need to pivot towards primary principles of cybersecurity. By offering compelling reasonings in support of the ultimate cybersecurity principle, he then discusses the right strategies and techniques required to accomplish it.
This book takes you on a journey that includes:
o Tracing the history of information security from the 1960s to the early 2020s, explicating its main shortcomings
o Suggesting what the information security community should rather strive towards
o Providing convincing arguments for the primary and fundamental principles of cybersecurity
o Discussing the most effective strategies and tactics that will assist in achieving the key principle
o Using the lens of first principles to analyze case studies such as the 2015 OPM hack, the 2016 DNC Hack, the 2019 Colonial Pipeline hack, and Netflix's Chaos Monkey resilience program
o Offering comprehensive illustrations on how to quantify cyber risk for two diverse types of organizations
The book serves as an insightful guide for a broad range of cybersecurity professionals. It caters to top-level executives and senior security practitioners, mid-tier professionals with a wealth of experience, fresh graduates, those looking for better career prospects in a different field, educators and students alike.
December 5, 2023
Una lectura muy informativa, para cualquiera que quiera perseguir una carrera de cyberseguridad. El autor, con su basta experiencia, sentido del humor y comentarios frikis, animan a continuar la lectura para entender que es lo que constituye el corazón de una solución cibersegura. Esto es: "Reducir la probabilidad de impacto material, debido a un ciber evento/ataque en los próximos 3 años". Me gusta porque acota el problema con un objetivo realista y dentro de un periodo razonable de tiempo, porque el autor es mas que consciente de lo proclive que son los sistemas de ser hackeados.
Me gustó mucho como explicó el autor la filosofía de Zero Trust y tambien las referencias a otros libros de ciber seguridad. Casi no disfruté el capitulo de riesgo, porque al profundizar en teorema de Bayes aplicado, fue dificil seguirlo.
En general es una lectura amena y muy bien informada. Muy recomendable para quienes les guste el tema.
Me gustó mucho como explicó el autor la filosofía de Zero Trust y tambien las referencias a otros libros de ciber seguridad. Casi no disfruté el capitulo de riesgo, porque al profundizar en teorema de Bayes aplicado, fue dificil seguirlo.
En general es una lectura amena y muy bien informada. Muy recomendable para quienes les guste el tema.
November 7, 2024
This was pretty sloppy, with one good point. There's the constant typos (as others mentioned). Howard doesn't seem to understand the definition of many terms he uses; Nassim Taleb would have a field day with how incorrectly the term black swan is used throughout this book. His 5 strategies are obvious, uselessly high-level, and heavily overlap. His risk assessment chapter is just a high-level summary of Hubbard's book (https://www.goodreads.com/book/show/2...). There are multi-page tangents that fail to connect back to anything useful; he seems more interested in fitting in anecdotes from his career than providing good content.
The good: The first principle he gives is "Reduce the probability of material impact due to a cyber event over the next three years", and that's a great mission statement for every security team. Most security practitioners could do better to remember we're optimizing over several years, not tomorrow.
The good: The first principle he gives is "Reduce the probability of material impact due to a cyber event over the next three years", and that's a great mission statement for every security team. Most security practitioners could do better to remember we're optimizing over several years, not tomorrow.
September 22, 2024
What I appreciated most about Rick Howard’s book is that it encompasses dozens of cybersecurity concepts and approaches (such as zero trust; pen testing; red/blue teaming; threat intelligence; IAM; GRC; endpoint protection; etc.) and puts them all into a proper perspective along a comprehensive strategy.
July 4, 2025
This was absolutely fantastic. If you are a cybersecurity professional, bump this book up on your TBR. This book is to cybersecurity what the Phoenix project/The DevOps handbook was for DevOps. It completely changed the way I think about this profession.
Displaying 1 - 8 of 8 reviews