8th Layer Insights 10.10.23
Ep 39 | 10.10.23

Cybersecurity First Principles w/Rick Howard


Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to 8th Layer Insights. If you've been listening to the show for a while, you'll know that we've touched on the concept of first principles a few times, starting all the way back in Season 1 in my discussion with Bruce Schneier and even most recently in my recap of the SANS Human Risk Summit where I mentioned first principles as they relate to human risk management or security awareness or whatever we're deciding to call this today. But the key phrase in those last statements is that we touched on the concept. In many ways, thinking about first principles is and has been fundamental to the approach that I often take with 8th Layer Insights. But, despite that, we've never dedicated an entire episode to the topic. Well, now is the time. Today's guest is Rick Howard. If you've been in cybersecurity for a while or you listen to other N2K podcasts, you probably already know him. Rick is the CSO of N2K and is also N2K's chief analyst and senior fellow. His past lives include being CSO at Palo Alto Networks, CISO at TSAC, the general manager of VeriSign's iDefense, the Counterpane SOC director, and the commander of the Army's Computer Emergency Response Team, or CERT, as we know it. Rick served 25 years in the Army, taught computer science at West Point, and recently published the topic of today's discussion, "Cybersecurity First Principles, a Reboot of Strategy and Tactics." And so, on today's show, first principles, what are they, and how can they help us create a better, more resilient cybersecurity program? Welcome to 8th Layer Insights. This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is 8th Layer Insights, Season 4, Episode 9. I'm Perry Carpenter. Welcome back. Let's dive right into our interview talking about cybersecurity first principles with Rick Howard.

Rick Howard: Hey, everybody. I'm Rick Howard. I'm the Chief Security Officer of N2K, that is Noise to Knowledge, and also the senior fellow at the CyberWire where I do a bunch of podcasts about cybersecurity.

Perry Carpenter: And you've been at the CyberWire for a few years. Prior to that, give just a brief biographical sketch. What landed you where you are today, and what makes you somebody that we should listen to when it comes to the topics that we're going to hit on?

Rick Howard: Well, I'm an old Army guy. I did 20 years in the US Army in communications, which logically led to cybersecurity at the end. My last job in the military was I was the commander of the Army's Computer Emergency Response Team, which was fabulous. I transitioned to the civilian world, did work for one of the first MSSPs, took over a cyber intelligence shop at VeriSign called iDefense. Got my first CISO job at a government contractor here in DC. And then went over to be the CSO for Palo Alto Networks, which was a fabulous job. And, at the end of that, I thought I was going to retire and -- but I had been on the CyberWire shows many times talking about issues of the day. And so they asked me to come on and help them move their company forward, so that is why I'm here at the CyberWire.

Perry Carpenter: Awesome. And one of the things you're passionate about to the point where you talk about it a lot on your shows specifically and then ended up writing a book around is the idea of first principles. So give us an idea of first principles thinking. What is it? Where does it come from? And how do we start to apply that in the domain that we're talking about?

Rick Howard: Yeah. I've been thinking about cybersecurity first principles, geez, for over a decade now. And I -- I first got the bug when I was listening to an NPR show. They were talking about Bertrand and Russell. Say Bertrand and Russell, they were two mathematicians in the early 1900s who realized that two different mathematicians using the same set of rules that everybody was using could come up with two different answers, which that's not going to be good in a precision math world. So they decided to go back and rewrite the rules of math from the ground up using a set of first principles. And to give you a sense of how hard that was, it took them 80 pages to prove that 1 plus 1 equals 2. And in a famous footnote in the book, one of them says, this might be useful in the future, right. And so I just thought that was fabulous. And it got me thinking that, you know, a bunch of really smart people in the cybersecurity space back in the '70s and the '80s, they wrote a bunch of papers that were trying to get their hands around the edges of this thing called cybersecurity because, you know, back then, Perry, everything's brand new. We didn't even know what it was going to be. We didn't even have an Internet back then.

Perry Carpenter: Called it information assurance back in the day.

Rick Howard: Yeah. Right. And a lot of ideas were floated, but a couple of them stuck. And one of them was vulnerability management, meaning that we were going to make sure that all of our computers were secure. And then what's amazing about that is, even the guys that wrote that paper -- you probably recognize their name, Bell and LaPadula; this is back in the '70s -- when they said, here's the proof that you can -- building a secure computer. But, in the very next paragraph, they said, This is going to be impossible to attain because there's no way we're going to be able to show that whoever builds it followed these rules, right? So -- but, even then, we've been pursuing vulnerability management as a key best practice in our InfoSec programs. The other one that emerged was the idea of a CIA triad, confidentiality, availability, and I'm blowing a --

Perry Carpenter: Integrity.

Rick Howard: Integrity. Thank you.

Perry Carpenter: Yeah.

Rick Howard: I wrote a book about this and can't even remember what the acronym stands for, right? If you ask any practitioner about how they are, you know, deploying their InfoSec program, they're probably going to mention CIA somewhere in that paragraph. But, in the 30 years I've been doing this, Perry, that hasn't really worked that well. It hasn't really stopped the attacks.

Perry Carpenter: Right.

Rick Howard: If you just look at the headlines, the CIA idea has not really helped that much. It's a good, good thumbnail about what you should do. But I don't think it qualifies as a first principle. And what I mean by that, you have to go all the way back to Aristotle and Descartes and Euclid to figure out what a first principle is. And it's basically what is the essence of what we are trying to do. Okay? And that's the other problem we have in the InfoSec industry. You ask any three practitioners of what they're trying to do with their security program, you're going to get three different answers. And after 30 years of doing this, I'm saying, that's probably not good. We should -- as security experts in the field, we should all agree on what the absolute first principle is. And so I've been thinking about that for the last 10, 12 years. And I finally got it down to what I think it is. And I'd be interested to get your feedback, Perry, if you think it's a good idea. And it's a -- it's just a Twitter line. All right. You ready for it?

Perry Carpenter: Yeah. Give me the first principle.

Rick Howard: Okay. All right. So here it is, the -- what I think the absolute cybersecurity first principle is. It is reduce the probability of material impact to our organizations due to a cyber event in the next, say, two to five years. And if you think about that statement, it's really three pieces. The first one is we're going to reduce the probability, not prevent all attacks. We're trying to reduce the risk here. So that's piece number one. Piece number two is, if that's the case, we're only going to worry about material things. All the other stuff is, you know, gravy on top. But we're -- in a world of limited resources, we're only going to focus on things that are material to the business. And then, third, the last piece of it is we are bounding it by time because, if you just say we're going to try to reduce the probability anytime in the future, that risk calculation is way different than what's it going to be in, say, the next two years.

Perry Carpenter: Right.

Rick Howard: So that's it. Three pieces. What do you think? You think I got it, or am I way off base?

Perry Carpenter: So I think you have it. I think that it would be shocking to somebody that is first entering the field that we call cybersecurity to all of a sudden be told that they are reducing probability. So they're not eliminating,, we're immediately shifting into risk-based conversations. And then we're also saying that it's going to take a while to get there, and you're never going to be fully in that state. So it is a series of I'm not going to say compromises but it may feel like that to somebody that's on the outside looking in thinking that security is about, you know, shields and armor and things like that.

Rick Howard: And, yeah. And war-like kinds of things. And --

Perry Carpenter: Yeah.

Rick Howard: And the whole point about this, I think, is, if that's the case, we're trying to reduce the probability. The immediate thing that follows is that we should be able to calculate what that probability is, which is a thing that, as a community, we are not very good at.

Perry Carpenter: Yeah. We're not good at the science part of this, even though --

Rick Howard: No.

Perry Carpenter: When you go get a computer science degree or a lot of cybersecurity related degrees, there is a science that's in the degree name that we're getting. So then how do we -- and I know that there's a -- several people that are trying to get to the fundamental math of what computer security is. How do you approach that, then? When it when it comes down to the provableness of -- or the provability, I guess is the right word, of the thing that we're trying to do, how do we -- how do we get to that provable state?

Rick Howard: I have to admit I struggle. I've been struggling with this for over a decade, Perry, right.

Perry Carpenter: Yeah. I can imagine.

Rick Howard: Again, I've tried. I've tried to do it in lots of different ways. And I, you know, I punted in many cases. You know, I've fallen back to the qualitative risk forecasting, which in a general sense, you put everything on a heat map, which is basically a fancy spreadsheet where the x axis is all the things that can go wrong and the y axis is how bad it's going to be. And what happens is -- oh, and you rate everything by high, medium, and low, this very subjective high, medium, and low category. And what happens is all the really nasty stuff floats high and to the right of the spreadsheet. And all the stuff that's kind of benign is low and to the left. And if you're really good at, you know, spreadsheets, you can color code it. So the nasty stuff is red. The not-so-nasty stuff is, you know, orange or yellow. And then the benign stuff is green. That's why it's called a heat map. Okay. And I've gotten away with going in and saying, This is really scary. You should give me some money so I can reduce -- you know, reduce this stuff. You know, and, admittedly, sometimes that's worked and sometimes it didn't. But there are reams of scientific papers that show that that kind of qualitative heat map risk assessments, they're just bad science; and we shouldn't use them at all. And so I've been on this quest for the last 10 years to try to figure out what -- a better way to do that. The approaches that most of the practitioners follow, is, you know, most of us aren't really math people. Okay. We all took our probability and stats class 101 back in college. I know I did. I barely got through it with the skin of my teeth. But what I've learned over the years is that probability is much more than, you know, rolling the dice or predicting the -- you know, a blue marble coming out of an urn of colored marbles. Okay. Probability is really a measure of uncertainty. Okay. It's about what we think the risk is to our business. But that's -- that's such a foggy idea, and I've struggled with it.

Perry Carpenter: Yeah.

Rick Howard: I tell you in the book that really changed my mind about all of this was a book by Tetlock And Gardner. It's called Superforecasting. Have you heard about this book?

Perry Carpenter: I don't know that I have. I mean, it sounds familiar enough, but that's because it's using two common terms. So yeah.

Rick Howard: That's true. So the guy that wrote this book, Tetlock, okay, he -- now, he is a curmudgeon. All right. He is one of those guys that doesn't like anything. And he was watching the news shows one day. I think it was CNN, right. And you know how the news programs bring a panel on to discuss some topic.

Perry Carpenter: Yeah.

Rick Howard: And he got mad because one of the participants was a person, a journalist who happened to predict something right once in his career. But he's been wrong ever since. Right? And he would just shake his fist at the TV. Why is that guy on the TV show? I always thought that there should be like a Chiron at the bottom of the screen that says this guy's 1 for 37. Maybe you shouldn't pay attention to what this guy's talking about. So Tetlock is an IARPA scientist, and he orchestrates a five-year experiment where he had three populations: the intelligence community, the academic community, and a group of old people that I call geezers on the go. They weren't all old people, but they were people who had time to solve problems, right. And he gave them 500 really difficult forecasting problems like will President Putin get assassinated in the next three years, you know, things that are impossible to know. And then he graded it over a five-year period. And the team that wins by 60%, by the way, are these geezers on the go. And there's lots of reasons for their success that you can read about it in his book. The really interesting thing, though, is there was another group within the geezers of the go that he called the superforecasters who were 60% better than the entire group, right, and proving to me that it was possible to forecast really difficult forecasting questions like the ones they were trying to do. I'm saying to myself, well, they can do that. Surely a low life CISO like me who doesn't understand probability and stats can figure this out, too. So that convinced me that it was possible. And the big epiphany, Perry, for me was I had to reverse my thinking. Before I used to think we needed all this precision.

Perry Carpenter: Yeah.

Rick Howard: That we were probably going to have to count all the things and come up with all kinds of variables and -- and maybe run some Monte Carlo simulations. And after reading the Superforecasting book, I realized that was not what we needed. We didn't need a precise answer. We needed a good enough answer, a ballpark answer, an answer that we can, you know, make resource decisions with in terms of people, process, and technology. So that was the big eye opener for me. When that happened, I realized, Oh, this is doable.

Perry Carpenter: Yeah. You know, I think when we think about the math for security that most people think, it's CISSP level math, right? It is --

Rick Howard: Yeah.

Perry Carpenter: -- we think about likelihood and impact. When we think about recovery time objectives, it's those kinds of things. It's not necessarily the level that you're thinking at. I'm interested, if you were to take on a new CISO position today at a company that has some wicked problems, you know, large company, multinational distributed networks, you know, all of the things, what would your -- what would your first 100 days be? The first 100 days would be my assessment of what we had in place. Okay. I would first go around and talk to all the business leader about how their products work, and what they thought were risks to the business and gather that into one place so that I have my head around all of that. And then the next step would be to talk to my internal team to see what they thought were the risks to the infrastructure that they've been trying to protect, okay, and see where the gaps were. Right. And, from that, we would try to choose. We would make an initial risk assessment of the probability of material impact due to a cyber event in, say, the next three years. Yeah.

Rick Howard: And that could be as easily as a bunch of us in a room, all the experts, business people, cyber people, IT people, you know, talk about the problems and just give their best estimate, to see what it was as an initial number that we could use to bounce off.

Perry Carpenter: Yeah.

Rick Howard: And because the reason I'm saying that is, there's some math behind this that we don't have to calculate. But the theory is fascinating. It's all -- the reason that you can start with an initial guess of what the probability is and then, over time, improve that guess as new evidence comes in is really the basis for something called the Bayes algorithm. Have you heard about this before?

Perry Carpenter: I have. I could not define it if you asked me, though, but I have heard of it.

Rick Howard: Well, I love the idea of it, right? But it's -- there's lots of detail about it. You can go to the book and read it. But here's the way it works is basically you come up with an initial estimate. Then find new evidence, adjust your guess up and down, okay, depending on what that evidence is, right, and then -- then you have a new number. And you keep doing that over and over and over again. Right. And the problem is never done, but you keep improving your forecast over time. The model that Bayes used in his original paper back in the 1700s, was a thought experiment with a billiard table and two people. One person is the guesser, and one person is the assistant. And the guesser turns his back to the table, and the assistant rolls a cue ball onto the table. And then the guesser is supposed to make a guess about where that ball is on the table. And then the assistant keeps rolling more and more balls, okay, on the table and telling the guesser it's left or right of the original ball. And, over time, the guesser gets better and better. Never going to be perfect.

Perry Carpenter: Right.

Rick Howard: But it's going to be better, a better guess. And that's the idea of Bayes algorithm.

Perry Carpenter: Okay.

Rick Howard: And we can use that for our cybersecurity risk forecast.

Perry Carpenter: Yeah. That's Battleship, right, the old he sunk my battleship.

Rick Howard: Yeah. It's Battleship.

Perry Carpenter: Yeah.

Rick Howard: I wish I would have thought of it. Yeah.

Perry Carpenter: Nice. So --

Rick Howard: Next version.

Perry Carpenter: Then if you're, I mean, with this kind of mindset, how do you enter today's cybersecurity landscape that is pretty much I think we have a discipline of cybersecurity that we're always trying to refine and think about. And then we have the vendor community that is at least in name trying to draw a dotted line between the products that they have or the, quote, unquote solutions that they have and then the problems that we have as a cybersecurity community. With a refined mindset of somebody that's been doing this for 30-plus years, thinking about this in a first principles kind of way, how do you deal with RSA when you go to the, like, the vendor floor of Black Hat when you go to the vendor floor. What is -- what would a first principles mindset say to do when you get to a vendor floor?

Rick Howard: Well, the first thing I would do is before I go, before I go to the big conference, which I pretty much go to every year, right, the first thing you have to remember is there's a difference between strategy and tactics. And most of us don't get that. I'm an old military guy. That was kind of beat into us when I was younger, right? So a strategy is kind of the thing you want to do. Right? It's the overall goal. It doesn't tell you how you're going to do it, but it's the thing you want to achieve. The tactics are all the steps that you're going to deploy in order to accomplish that goal. It's a very simplistic way to look at it, but it's good to keep that in your mind. So if you believe me, if I've convinced you, Perry, that the absolute cybersecurity first principle is reducing the probability of material impact, there are several strategies that you might choose that will help you achieve that, follow-on strategies. And there are big bucket items, right. The first one would be zero trust, that kind of passive defensive measure, basically all the things you could do that has nothing to do with a specific adversary, just sort of battening down the hatches to make it really hard to break in, kind of like closing the windows and locking the doors at your house. Another strategy you might deploy is intrusion kill chain prevention, basically designing prevention controls for all the known adversary campaigns that are out there. And we know most of them, right, for -- if you just go to the MITRE ATT&CK wiki, I think last time I checked there's about 150 campaigns that they were tracking. If you just put prevention controls for all of those tactics, techniques, and procedures that bad guys use, you would have a pretty decent InfoSec program. A third one that you might use -- and this is the one I would prefer for small startups like mine, you know, the CyberWire. We're a very small company. I don't have the resources to do zero trust or intrusion kill chain prevention. Those things are expensive. So the strategy that we use at the CyberWire is resilient, okay, a strategy of we're not going to try to prevent the things from happening. We're going to try to survive it as it's going on. That tends to be cheaper. And we can actually get that done with startup resource. Along with that, another thing you might choose is automating as much as you can to make things flexible. And the last thing, the newest one that we didn't think about until after the book came out was workforce development, meaning that, if your strategy is zero trust, we should evaluate our team and how good they are at deploying zero trust and then train them to be better at it. And if you do it that way, you can reduce the probability material impact for pretty cheap compared to the other methods. So going into RSA conference, I would have those things in the back of my mind. I would know what strategies were trying to accomplish and then seek vendors who could help me get there. That's how I would work.

Perry Carpenter: Yeah. Welcome back to our interview with Rick Howard. How do you evaluate the vendor speak in terms of efficacy for their strategy? Because, I mean, you mentioned zero trust, which is -- it is a strategy. It's also a buzzword. It's also partially -- partially an encapsulation of other principles that have been around for a long time like lease privilege, role-based access control and several other things kind of rolled in. How do you dismantle the nomenclature from the function?

Rick Howard: Well, I would -- again, zero trust from my mind, like you said, it's a strategy, not a -- not a product feature, right?

Perry Carpenter: Yeah.

Rick Howard: So I would then think about the tactics that I need to implement it. And one of them that comes out really quickly when you think about that is some sort of identity and access management program because you can't really do zero trust. You can't restrict access unless you know exactly who the people are on your network; what the devices are; and, by the way, what the software objects are that are running, you know, administrative commands on. We've got to know all of those things in order to implement a zero trust program. It is the reason -- it's expensive, if that's the strategy you choose. But I would look for vendors who could help me accomplish that identity and access management program.

Perry Carpenter: Right. You mentioned three things there that -- that I think are critical any time you're managing trust or identity because you think about what are the things that could be trusted or not trusted? Well, I could trust or not trust people. I could trust or not trust connections from devices. I can trust or not trust application centric types of connections as well. And there's probably a couple other things we could define if we wanted to. How does somebody get to that level of tear down, and -- but what I'm trying to get to is, how do you deploy a technology like that or a strategy like that and not end up with a false sense of security because you've forgotten one of those things that you should account for? Like, if I do identity and access management with a zero trust model, I've potentially taken care of my people, but I've not taken care of devices or apps.

Rick Howard: Yeah. The way I would do it is, as soon as I implemented a feature of that idea, I would then go back to my risk calculation, okay, and say, Have I reduced the probability by a point or two because I did this? And then you look at, oh, I did the people part. How much more would I get if I do the devices, right? So that's really a risk design now, not just a best practice, right? And so you could do that for every decision you make about your InfoSec program deployment.

Perry Carpenter: Yeah. And then where does things like threat modeling and tabletop exercises and all of that fit within this so that you're refining your thoughts and potentially discovering new avenues of attack or -- or strategies for resilience that maybe you haven't thought of before?

Rick Howard: Yeah. I kind of got those in two different buckets. One for threat modeling, I put that into my intrusion kill chain producer strategy. And I am not as concerned about finding new undiscovered things yet because most of us don't deploy preventive controls for the things we know.

Perry Carpenter: True.

Rick Howard: So I'm going to focus on those 150 nation states that we know about, all right. And then I'll go from there. That'll be my first year in the seat. For tabletop exercises, I have that in the resilience strategy. It's one of the tactics for my resilience strategy. And I've done a bunch of these in my career. I'm sure you have, too, Perry. But what I've boiled it down to is we want to get the executives in the room to run some scenarios by them. And the idea is that we're not trying to come up with every known scenario, we want to train the executive to be driving towards a specific outcome of whatever crisis we are doing. Because whatever plan we come up with is going to be thrown out as soon as the bad thing happens because we're going to start making audible decisions. But if you train your executives, that we're trying to keep the business running, regardless of what bad thing happens, that's the outcome that's desired. And we want to get them used to that in a tabletop exercises. Now, you know, Perry, it's difficult to get senior executives into a room for a day or two of scenario planning. I found that doesn't work that well. But what I found that worked for me, my own personal trick is every -- two or three times a year, I would invite them to lunch that I would pay for because even senior executives like a free sandwich and a salad, right?

Perry Carpenter: Right.

Rick Howard: And only spend an hour or so walking through a scenario, okay? And then it'd be my job to -- to keep track of everything going on. But just get their feedback on our current plan, what they would do, how they would change the current plan because they didn't realize what they were talking about, and just iterate on that over and over again, again, training them to come up with ways to make the business survive, okay, and not worry about each specific scenario.

Perry Carpenter: Okay. I think the last question that I really want to hit on is for people in the industry, whether they're new, whether they've been around for a while, what is a -- a framework of thought or maybe just a constant filter that you would want everybody to have? Like, if you could say adopt this mindset as you go around your daily job, what would be that thing that you would want to advocate for?

Rick Howard: That's a great question, right? And I've seen this in the industry over and over again. People want to do everything because they're worried about everything. I would focus them on the strategies they've chosen. I would prefer they use my first principle strategies. But whatever strategy they are using, let's say they're using the NIST cybersecurity framework as their strategy, we can have an argument about why it's not a strategy. Let's say they're using that, all right. Every ounce of resources that the InfoSec team has should be poured into that strategy. If you are not, if you're doing something that's extraneous from that strategy, you're wasting resources. So focus on the strategy that you decided, and focus everybody -- purpose, and that will make it much more efficient as you go down the line.

Perry Carpenter: All right. Yeah. So kind of avoid distractions, avoid the new blinky light of the year that comes out.

Rick Howard: Yeah.

Perry Carpenter: And just stay focused. And I liked the way that you say that is, when you think about all of the things that everybody knows that they should do, for some reason, we're not good at doing the thing that we know should be done by everybody. We're really good at getting distracted and doing POCs for a lot of the things that are new and sexy that we can easily go spend a couple hundred grand on and just say, Oh. I did something. Oh, I put a black box in my system that may or may not actually pay off on the long-term strategy that I said we need to do.

Rick Howard: That is so true. I mean, just take a look at the technology you already have deployed. I guarantee you you're only using about 20% of it.

Perry Carpenter: Yeah.

Rick Howard: Right. I'll tell you -- I'll tell you an old war story. I used to -- I was the CSO for Palo Alto Networks, and one of my jobs is to go around and talk to other CISOs using our stuff, you know. And our sales guys would go in, and they would convince the CISO that they should replace their old stuff with our stuff, right, and -- you know, and spend a gazillion dollars doing that. And good job for them. They got a commission that year. And then I would come back to see those people a year later, and you find out what they've done. They spent the next year deploying the exact same rule set that they had with the old system that they replaced, okay. They -- you know, they bought this Ferrari of a system and then spent the year putting in the old jalopy rule sets. And it's like, that's the kind of thing that we do all the time.

Perry Carpenter: Yeah.

Rick Howard: My big frustration.

Perry Carpenter: Yeah. Absolutely. Back when I was at Gartner and doing a lot of IM research, one of the main things that I would do when somebody would say, Hey, I'm -- really want your opinion on this new IM System that vendor X showed me is I would go through and try to get a detailed list of pieces of infrastructure that they've already deployed. And I'd say, well, here's how to use this other thing to do the thing that this vendor is trying to sell you. You don't need to spend money this year or next year if you don't want to. You can actually just use a function set that you ignored in this other piece of stuff. Yeah. Don't get spun up just because it's fun to talk to vendors or to test stuff.

Rick Howard: That's funny you mentioned that. There's a section in my book called Meat and Potatoes, Zero Trust. It's basically this idea all together because I used to work for a next-generation firewall company, but all the firewall companies have the ability to make rules at layer seven. And it's basically give access to people based on who they are and what application they are using.

Perry Carpenter: Yeah.

Rick Howard: So that may not be sexy as the new shiny object that the -- you know, vendor X has, but you could get a long way down the zero trust journey just by using the thing that you have already deployed.

Perry Carpenter: Yeah. Well, and I think in an economic situation like most of the world is right now, if he can do that, you're kind of a hero, right? It's not fun.

Rick Howard: Kind of a hero. Yeah.

Perry Carpenter: It's a little bit of a slog through the mud to do that because it's not plug and play type of thing. But if you think creatively about what you have, most of these vendors have developed systems five years ago that can meet most of today's issues if you use the function set appropriately.

Rick Howard: Yeah. I agree with that totally.

Perry Carpenter: Cool. Well, any last thing that you want to make sure that everybody has a chance to think about before we sign off?

Rick Howard: Yeah. I'm -- you may notice through my book that I'm a big lover of cybersecurity books. I actually helped found a volunteer organization called the Cybersecurity Canon Project. That's canon with one N as in canon of literature, not two N's where you blow stuff up. It's been going on for about eight years now. And it's a -- the committee's of cybersecurity practitioners who read all the books. They write book reviews for them. And they've tried to put the book into one of three categories. The first one is Hall of Fame, meaning that everybody in the industry should read this because, if you don't, you have a hole in your education. The second one is, this is a good book, but it's probably niche. Not everybody has to read it. But if you're interested in the topic, it's a good one. And then third and probably the gift we give back to the community is do not read because there's lots of crap cybersecurity books out there. And we do the work for you so you don't have to. So you're welcome. Ohio State University sponsors the program. And if you're looking to read a book this year, you should check that out first. You can read the book review and see if you are interested in it going forward. So it's called the Cybersecurity Canon Project sponsored by Ohio State University.

Perry Carpenter: Yeah. I love the Cybersecurity Canon and was -- was honored to have my first book reviewed and put in it. So thank you very much for mentioning that.

Rick Howard: No.

Perry Carpenter: Yeah. And then, of course, people can -- can listen to you fairly on the regular on N2K, right?

Rick Howard: I work on three different podcasts. The CyberWire has about 22 podcasts and a number of newsletters they send out. I work on three of them. The -- my main show is called CSO Perspectives. It is on the subscription side. And it talks -- a lot of the ideas that were in my book came from the initial ideas from that show, and so you could check me out there. One of my favorite shows is something called Word Notes.

Perry Carpenter: Yeah.

Rick Howard: It's a little short, five-minute deal that we talk about one of the words in the word salad of cybersecurity. We define it. We talk about the history of where it is in its current state. And because I'm a nerd, I always tried to find some pop culture reference to it like a movie or a TV or a book. I have so much fun putting that together. And that's public. That's a short little thing every week in your podcast feed.

Perry Carpenter: Yeah. Those are fun.

Rick Howard: So check that out. It's called Word Notes.

Perry Carpenter: Yep. I love those. And if somebody's a Hacking Humans subscriber, I know a lot of those get dropped in the Hacking Humans feed as well. Well, I hope you enjoyed that interview with Rick Howard. And, more than that, I hope that you can see how useful the concept of embracing first principles is. When we understand that, it changes everything about the way that we approach the cybersecurity discipline. And so, if you haven't yet, I encourage you to pick up a copy of Rick's book. I'll put a link to it in the show notes. And, with that, thank you so much for listening. And thanks again to my guest, Rick Howard. I've loaded up the show notes with more information about Rick, as well as all the relevant links and references to the information we cover today. If you've been enjoying 8th Layer Insights and you want to know how you can help make the show successful, it's actually still pretty simple. First, go ahead and take just a couple seconds to go give us five stars, and leave a short review on Apple podcasts or Spotify or any other platform that allows you to do so. That helps anyone who stumbles upon the show have the confidence that this show is worth their most valuable resource: their time. Another big way that you can help is by telling someone else about the show. Word of mouth referrals are the lifeblood of helping people find good podcasts. And, if you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. Oh. And, if you want to connect with me, you can feel free to do so. You'll find my contact information at the very bottom of the show notes for this episode. This show was written, recorded, sound designed, and edited by me, Perry Carpenter. Cover art and branding for 8th Layer Insights was designed by Chris Machowski @ RansomWear.Net. That's W-E-A-R. The 8th Layer Insights theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter, signing off.