Speed Data: Rethinking Traditional Cybersecurity Principles With Rick Howard

Welcome to Speed Data: Quick Conversations With Cybersecurity Leaders. Like speed dating, our goal is to capture the hearts of CISOs with intriguing, unique insight in a rapid format for security professionals pressed for time.

This week’s episode features Rick Howard: author, journalist, Carnegie Mellon faculty member, and CSO, Chief Analyst, and Senior Fellow at the CyberWire. A highly in-demand professional, we were fortunate to grab time with Rick to chat about his new book, “Cybersecurity First Principles: A Reboot of Strategy and Tactics,” and learn the one area in which almost all security practitioners struggle.

A passion for podcasting

The old saying, “If you enjoy what you do, you’ll never work a day in your life” couldn’t be more fitting for Rick Howard, the CSO, Chief Analyst, and Senior Fellow at the CyberWire.

“I can’t believe I get paid to do this job,” he said. “I have an excuse to read a bunch of interesting things, and I get to write about it and do podcasts; I love what I do.”

Rick’s enthusiasm and energy shine through when he talks about his role for N2K Networks’ cybersecurity audio network. Ever the prepared professional, Rick makes sure he knows interview topics inside and out before he hosts an episode of his show.

“Whatever the topic is, I try to do the background research on my own; I’m trying to understand it,” he said. “The thing that helps me more than anything is I’ll write an essay about the topic just so I can explain it to myself, and then I use that as the basis for whatever interview we’re going to do.”

Although for most of Rick’s career he has solely worked as a security practitioner, his onboarding at the CyberWire in 2022 brought with it the title of respected journalist. However, this new accolade can have its downsides, Rick said, because those in his line of work tend to have the mindset, “I don’t want to talk to the press.”

“You go to conferences, and if you have a journalist badge, people tend to walk away from you,” Rick laughed.

Get started with our world-famous data risk assessment.

Book your free assessment

Questioning traditional methods

As if Rick’s resume wasn’t impressive enough, he recently published the book “Cybersecurity First Principles: A Reboot of Strategy and Tactics,” which challenges the conventional wisdom of today’s cybersecurity best practices.

“I’ve been thinking about the idea of cybersecurity first principles for over a decade, and what got me on it was, I heard this NPR story about two mathematicians back in the 1900s who were looking at the current math rules and you could come up with two different answers using legitimate math rules,” Rick said. “If you have two answers with math, that’s not right. So they decided to go back and rewrite the language of math from the ground up using first principles.”

That notion of questioning what has always been accepted as gospel was the inspiration behind Rick’s 400-page book.

It occurred to me that in cybersecurity, back in the ‘70s and ‘80s, a bunch of really smart people were trying to get their heads around what cybersecurity was going to be and they came up with really great ideas. What happened then was we all glommed on to those ideas and have never questioned them since. So maybe we haven’t come up with the exact first principle for cybersecurity yet.

Predicting the unpredictable

One area in which Rick thinks the cyber world still has a long way to go is forecasting risk.

“Most security practitioners like me don’t have any idea how to do that,” he said. “The big epiphany I had this last year was that [forecasting] doesn’t have to be that precise to make decisions — you don’t have to have the precision that everybody thinks they need. You need ballpark estimates so that senior leadership can make resource decisions.”

Reducing risk is what we do at Varonis. Want to see for yourself? Request a free trial or get started with our world-famous Data Risk Assessment.