Speed Data: Rethinking Traditional Cybersecurity Principles With Rick Howard

Rick Howard, author, journalist, and Senior Fellow at the CyberWire, chats about his new book on rebooting cybersecurity principles with Varonis' Megan Garza.
Megan Garza
2 min read
Last updated March 25, 2024
Megan Garza and Rick Howard

Welcome to Speed Data: Quick Conversations With Cybersecurity Leaders. Like speed dating, our goal is to capture the hearts of CISOs with intriguing, unique insight in a rapid format for security professionals pressed for time.

This week’s episode features Rick Howard: author, journalist, Carnegie Mellon faculty member, and CSO, Chief Analyst, and Senior Fellow at the CyberWire. A highly in-demand professional, we were fortunate to grab time with Rick to chat about his new book, “Cybersecurity First Principles: A Reboot of Strategy and Tactics,” and learn the one area in which almost all security practitioners struggle.

A passion for podcasting

The old saying, “If you enjoy what you do, you’ll never work a day in your life” couldn’t be more fitting for Rick Howard, the CSO, Chief Analyst, and Senior Fellow at the CyberWire.

“I can’t believe I get paid to do this job,” he said. “I have an excuse to read a bunch of interesting things, and I get to write about it and do podcasts; I love what I do.”

Rick’s enthusiasm and energy shine through when he talks about his role for N2K Networks’ cybersecurity audio network. Ever the prepared professional, Rick makes sure he knows interview topics inside and out before he hosts an episode of his show.

“Whatever the topic is, I try to do the background research on my own; I’m trying to understand it,” he said. “The thing that helps me more than anything is I’ll write an essay about the topic just so I can explain it to myself, and then I use that as the basis for whatever interview we’re going to do.”

Although for most of Rick’s career he has solely worked as a security practitioner, his onboarding at the CyberWire in 2022 brought with it the title of respected journalist. However, this new accolade can have its downsides, Rick said, because those in his line of work tend to have the mindset, “I don’t want to talk to the press.”

“You go to conferences, and if you have a journalist badge, people tend to walk away from you,” Rick laughed.

Get started with our world-famous data risk assessment.
Book your free assessment

Questioning traditional methods

As if Rick’s resume wasn’t impressive enough, he recently published the book “Cybersecurity First Principles: A Reboot of Strategy and Tactics,” which challenges the conventional wisdom of today’s cybersecurity best practices.

“I’ve been thinking about the idea of cybersecurity first principles for over a decade, and what got me on it was, I heard this NPR story about two mathematicians back in the 1900s who were looking at the current math rules and you could come up with two different answers using legitimate math rules,” Rick said. “If you have two answers with math, that’s not right. So they decided to go back and rewrite the language of math from the ground up using first principles.”

That notion of questioning what has always been accepted as gospel was the inspiration behind Rick’s 400-page book.

It occurred to me that in cybersecurity, back in the ‘70s and ‘80s, a bunch of really smart people were trying to get their heads around what cybersecurity was going to be and they came up with really great ideas. What happened then was we all glommed on to those ideas and have never questioned them since. So maybe we haven’t come up with the exact first principle for cybersecurity yet.

Predicting the unpredictable

One area in which Rick thinks the cyber world still has a long way to go is forecasting risk.

“Most security practitioners like me don’t have any idea how to do that,” he said. “The big epiphany I had this last year was that [forecasting] doesn’t have to be that precise to make decisions — you don’t have to have the precision that everybody thinks they need. You need ballpark estimates so that senior leadership can make resource decisions.”

Reducing risk is what we do at Varonis. Want to see for yourself? Request a free trial or get started with our world-famous Data Risk Assessment.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Speed Data: Hiring the Right Cybersecurity Professionals With Leah McLean
Cofounder of the nonprofit Whole Cyber Human Initiative, Leah McLean, shares her advice for recruiting teams looking for cybersecurity superstars and why it’s so important for women to have representation in tech.
Social Engineering Remains a Top Cybersecurity Concern
In 2016, the top cyberthreat for IT pros, at least according to ISACA’s Cybersecurity Snapshot, is social engineering.  It has always been a classic exploit amongst the hackerati. But in...
What is The Cyber Kill Chain and How to Use it Effectively
The cyber kill chain maps the stages of a cyberattack from the early reconnaissance stages to data exfiltration. The cyber kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs).
Speed Data: Preparing for the Unknown in Cybersecurity With Ian Hill
Ian Hill, the Director of Information and Cybersecurity for Upp Telecommunications, offers his take on AI and the future of tech, shares his tricks for a good cyber defense, and explains why the best-laid plans of mice and security professionals often go astray.