CSO Perspectives (public) 5.7.24
Ep 5570 | 5.7.24

Bonus Episode: 2024 Cybersecurity Canon Hall of Fame Inductee: Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us by Eugene Spafford, Leigh Metcalf, Josiah Dykstra and Illustrated by Pattie Spafford.


Rick Howard: You're listening to the 2012 song, "Hall of Fame", by The Script and will.I.am, which means it's that time of year again. The Cybersecurity Canon committee has announced the Hall of Fame inductees for the 2024 season to coincide with the RSA Conference, and I got to interview the winning authors. As you all know, N2K, and the leaders of the Cybersecurity Canon Project team up each year to highlight this valuable and free resource for the entire infosec community to find the absolute must-read books for the cybersecurity professional. And the next book we're going to talk about the next inductee into the Canon Hall of Fame this year is "Cybersecurity Myths and Misconceptions" by Eugene Spafford. So, hold on to your butts.

Unidentified Person #1: Hold on to your butts, butts, butts.

Rick Howard: This is going to be fun. My name is Rick Howard, and I'm broadcasting from the CyberWire's alternate secret Sanctum Sanctorum studios located underwater somewhere along the San Francisco Oakland Bay Bridge in the good old U-S of A. and the interns had a rip-roaring night their first night in town.

Unidentified Person #2: Yeah. Yeah.

Rick Howard: Hey, hey. Did anybody find Kevin from last night? We're all still looking for him. He'll turn up. He always does. You're listening to "CSO Perspectives", my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. Before we get started, I have several events that I'm doing at the RSA Conference. If you're attending, I would love for you to come by and say hello. First, members of the Cybersecurity Canon committee will be in the booth outside the RSA Conference bookstore to help anybody interested in the Canons Hall of Fame and Candidate books. And if you're looking for recommendations, we have some ideas for you. It's on Monday, Tuesday, and Wednesday at the RSA Conference bookstore at 2 p.m. My slot is on Tuesday. So, if you're looking to talk to me, come find me then. Next, I'm hosting a small group discussion, RSA calls them Birds of a Feather discussions, titled, "Cyber Fables: Debating the Realities Behind Popular Security Myths". The idea came from the Hall of Fame book we're talking about today, "Cybersecurity Myths and Misconceptions". If you want to mix it up with a bunch of smart people on this topic, this is the event for you. RSA hasn't picked a location yet, but the session is on May 7 from 9:40 to 10:30 a.m. Next, I'm doing a book signing. I published my first principles book at last year's RSA Conference. If you're looking to get your copy signed, or if you just want to tell me how I got it completely wrong, come on by. I would love to meet you. It's at the RSA Conference bookstore, May 8 from 2 to 3 p.m. I'm also hosting a Cyware-sponsored panel on the latest developments in SOC fusion, and Cyware is paying for the breakfast. How can you turn down a free meal? It's at The Billiard Room at the Metreon on May 8 from 8:30 to 11 a.m. And finally, Simone Petrella and I have been talking about Moneyball for workforce development since the last RSA Conference. For those of you that don't know, Simone is the N2K president. And I love this Moneyball idea. Come see us at Moscone South on the Esplanade level on May 9 from 9:40 to 10:30. Whew, that's a lot. So, with all those announcements out of the way, it's time to talk about the book.

Unidentified Person #3: Oh, yeah.

Rick Howard: Eugene Spafford, Spaff to all those that know him, is one of the original cybersecurity founding fathers. Historians usually put him in the same conversation with Bruce Schneier, Vint Cerf, and Richard Clarke. He's taught cybersecurity at Purdue University for 35 years, founded CERIAS, the Center for Education and Research in Information Assurance and Security back in 1999, and has developed fundamental technologies in intrusion detection, incident response, firewalls, integrity management, and forensic investigation. Dr. Spafford is a fellow of the American Academy of Arts and Sciences, the Association for the Advancement of Science, the ACM, the IEEE, and the ISC2. And that's just the first page of his bio. He wrote this book with his co-authors Leigh Metcalf and Josiah Dykstra, and he even had his wife, Pattie Spafford, provide the illustrations. I interviewed him in April 2024, just prior to the RSA Conference in May. Before we get into this too much first, congratulations on your book being inducted into the Cybersecurity Canon Hall of Fame.

Eugene Spafford: It's very exciting.

Rick Howard: What motivated you all to tackle this particular subject?

Eugene Spafford: My memory on this doesn't quite capture the very, very beginning. But I think we were having a discussion about frustration we had with various parties proclaiming about things that were incorrect. Giving advice that was incorrect, sometimes. Some we'd see on social media, some we'd hear in conference presentations, that we knew was simply misinformed or just outright self-serving may not be the best term to use. But it was just wrong. And the more we discussed about it, the more we realized there was a sufficient body here, that writing and definitive work to try to dispel some of those myths, address some of the psychological biases, and back them up with references would probably be a good thing.

Rick Howard: I've had that thought for over a decade now. Right? It started occurring to me, you know, around 2010 or so, that we all just kept looking at what our predecessors had done. And, you know, we took the next step. And we never questioned whether or not we were going in the right direction in the first place. Whether or not our assumptions were even correct. And you cover some of those in that book, in the book, too. Is that a different way to say what you were saying?

Eugene Spafford: Yeah, I think so. I remember, even 30 years ago, discussing how a lot of what we did in security was tales around the campfire.

Rick Howard: Exactly right.

Eugene Spafford: And some of those tales were intended more to frighten than to educate. But we have grown so quickly as a field, the technological transformation is so rapid, that sometimes our documentation and understanding have simply not been able to keep up.

Rick Howard: Well, I've definitely participated in those discussions because early in my career, it was fear, uncertainty, and doubt. That's how we all thought we would get money to fund our projects. And as I've gotten older and more senile, I realize that's probably not the way to go, that we should probably have a better way to describe what we're trying to do. And your book gives us all kinds of evidence and guidelines about how to do that. So, I really appreciate that.

Eugene Spafford: We all - I think we had a very good writing experience together because all three of us have had extensive experience in the field, although in somewhat different areas, different perspectives. But it all came together really well that we basically agreed on approaches and some of what the most important points were.

Rick Howard: So, it wasn't just your idea, it was all you guys coming together and say, oh, yeah, that's another one of these things we have to highlight. So, is that what you're saying?

Eugene Spafford: Yeah. It was really a group effort. And there were a couple chapters where I took the lead, for instance, the first chapter on what is security. Then there were others where each of them took a lead in writing the chapter. But all of us ended up contributing.

Rick Howard: So, you organized the book in four big sections. You got general issues like cybersecurity definitions, products, and process. You got human issues like faulty assumptions, and cognitive biases and weird incentives that we are all following. We have contextual issues like bad analogies, legal issues, and just myths about tools. And finally, we got data issues like probability and statistics, AI, and machine learning. And I was wondering, out of all the myths you tackled in the book, do you personally have a favorite one, a pet peeve maybe that has been gnawing at you for a long time and the book gave you a way to get it off your chest?

Eugene Spafford: I would say there's two, really. And the first one was, as I said, chapter 1, that we all have an agreed-upon definition of what cybersecurity is and what it's about. And that's simply not true. And that leads to all kinds of follow-on difficulties with lack of metrics and misapplying tools, and so on. The other Is the canard that the user is the weakest link.

Rick Howard: Yeah.

Eugene Spafford: And that is extremely annoying to me, for a variety of reasons, primarily as an educator, in that people are really potentially our strongest element of protection. But we have to equip them with the knowledge and the tools and the authority to be able to assist in security. And to just pick out the people who are trying to do their jobs, don't have the knowledge or don't have the tools, and blame them when things go wrong, is a broken approach to how to get better cybersecurity.

Rick Howard: That's one of my biggest annoyances, also. I can't believe we blame the user just because we haven't designed the compute systems and the security systems that are easy to use. And security is. That just annoys the crap out of me. And for the first one, you mentioned, too, the definition of cybersecurity, I get to talk to a lot of senior security professionals in this job. And you get any 10 in the room and ask them what are they trying to do with their program, you're going to get two different answers because none of us have said what we think is the absolute first principle for what we're all trying to do to protect our enterprise. So, I totally agree. Does that match with what you were trying to say there?

Eugene Spafford: In part, it's not only do we not know what it is we're protecting, we don't agree what we're protecting --

Rick Howard: Exactly.

Eugene Spafford: it against --

Rick Howard: And what's important. Yeah.

Eugene Spafford: -- why we're protecting it, how to allocate our resources appropriately.

Rick Howard: And that's our show. Well, part of it. There's actually a whole lot more, and it's all pretty great if I do say so myself. So, here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head on over to thecyberwire.com/pro and sign up for an account. That's thecyberwire, all one word, dot com/pro. For less than $1 a day, you can help us keep the lights on, the mics rolling, and the insights flowing. Plus, you get a whole bunch of other great stuff like ad-free podcasts, my favorite, exclusive content, newsletters, and personal level-up resources like practice tests. With N2K Pro, you get to help me and our team put food on the table for our families. And you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So, head on over to thecyberwire.com/pro and sign up today for less than $1 a day. Now, if that's more than you can muster, that's totally fine. Shoot an email to pro@n2k.com, and we'll figure something out so you can join. I'd love to see you over here at N2K Pro. This episode was produced by Liz Stokes. Our theme song is by Blue Dot Sessions, remixed by Elliott Peltzman, who also mixes the show and provides original music. Our Executive Producer is Jennifer Eiben. Our Executive Editor is Brandon Karpf. Simone Petrella is our President. Peter Kilpe is our publisher. And I'm Rick Howard. Thanks for listening.