CSO Perspectives (Pro) 5.7.24
Ep 5570 | 5.7.24

Bonus Episode: 2024 Cybersecurity Canon Hall of Fame Inductee: Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us by Eugene Spafford, Leigh Metcalf, Josiah Dykstra and Illustrated by Pattie Spafford.


Rick Howard: You're listening to the 2012 song, "Hall of Fame," by The Script and will.i.am, which means it's that time of year again. The Cybersecurity Canon Committee has announced the Hall of Fame inductees for the 2024 season to coincide with the RSA Conference, and I got to interview the winning author. [ Music ] As you all know, N2K and the leaders of the Cybersecurity Canon Project team up each year to highlight this valuable and free resource for the entire infosec community to find the absolute must-read books for the cybersecurity professional. And the next book we're going to talk about, the next inductee into the Canon Hall of Fame this year, is "Cybersecurity Myths and Misconceptions" by Eugene Spafford. So hold on to your butts.

Unidentified Person: Hold on to your butts.

Rick Howard: This is going to be fun. [ Music ] My name is Rick Howard, and I'm broadcasting from the CyberWire's alternate Secret Sanctum Sanctorum Studios located underwater somewhere along the San Francisco-Oakland Bay Bridge in the good old US of A, and the interns had a rip-roaring night, their first night in town. [ Cheers and Applause ] Hey, hey, did anybody find Kevin from last night? We're all still looking for him. He'll turn up. He always does. You're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] Before we get started, I have several events that I'm doing at the RSA Conference. If you're attending, I would love for you to come by and say hello. First, members of the Cybersecurity Canon Committee will be in the booth outside the RSA Conference bookstore to help anybody interested in the Canon's Hall of Fame and candidate books. And if you're looking for recommendations, we have some ideas for you. It's on Monday, Tuesday, and Wednesday at the RSA Conference bookstore at 2 pm. My slot is on Tuesday, so if you're looking to talk to me, come find me then. Next, I'm hosting a small group discussion, RSA calls them "birds of a feather discussions," titled "Cyber Fables: Debating the Realities Behind Popular Security Myths." The idea came from the Hall of Fame book we're talking about today, "Cybersecurity Myths and Misconceptions." If you want to mix it up with a bunch of smart people on this topic, this is the event for you. RSA hasn't picked a location yet, but the session is on May 7 from 9:40 to 10:30 am. Next, I'm doing a book signing. I published my "First Principles" book at last year's RSA Conference. If you're looking to get your copy signed, or if you just want to tell me how I got it completely wrong, come on by. I would love to meet you. It's at the RSA Conference Bookstore on May 8 from 2 to 3 pm. I'm also hosting a Cyware-sponsored panel on the latest developments in SOC fusion, and Cyware is paying for breakfast. How can you turn down a free meal? It's at the Billiard Room at the Metreon on May 8 from 8:30 to 11 am. And finally, Simone Petrella and I have been talking about Moneyball for Workforce Development since the last RSA Conference. For those of you that don't know, Simone is the N2K president, and I love this Moneyball idea. Come see us at Moscone South on the Esplanade level on May 9 from 9:40 to 10:30. [ Music ] That's a lot! So with all those announcements out of the way, it's time to talk about the book.

Unidentified Person: Oh, yeah! Ha-ha-ha!

Rick Howard: Eugene Spafford, Spaf to all those that know him, is one of the original cybersecurity founding fathers. Historians usually put him in the same conversation with Bruce Schneier, Vint Cerf, and Richard Clarke. He's taught cybersecurity at Purdue University for 35 years, founded CERIAS, the Center for Education and Research in Information Assurance and Security, back in 1999, and has developed fundamental technologies in intrusion detection, incident response, firewalls, integrity management, and forensic investigation. Dr. Spafford is a fellow of the American Academy of Arts and Sciences, the Association for the Advancement of Science, the ACM, the IEEE, and the ISC2. And that's just the first page of his bio. He wrote this book with his co-authors Leigh Metcalf and Josiah Dykstra, and he even had his wife, Patty Spafford, provide the illustrations. I interviewed him in April 2024, just prior to the RSA Conference in May. Before we get into this too much, first, congratulations on your book being inducted into the Cybersecurity Canon Hall of Fame.

Eugene Spafford: It's very exciting.

Rick Howard: What motivated you all to tackle this particular subject?

Eugene Spafford: My memory on this doesn't quite capture the very, very beginning, but I think we were having a discussion about frustration we had with various parties proclaiming about things that were incorrect, giving advice that was incorrect. Some we'd see on social media; some we hear in conference presentations that we knew was simply misinformed or just outright -- self-serving may not be the best term to use, but it was just wrong. And the more we discussed about it, the more we realized there was a sufficient body here that writing a definitive work to try to dispel some of those myths, address some of the psychological biases, and back them up with references would probably be a good thing.

Rick Howard: I've had that thought for over a decade now, right? It started occurring to me, you know, around 2010 or so that we all just kept looking at what our predecessors had done and, you know, we took the next step and we never questioned whether or not we were going in the right direction in the first place, whether or not our assumptions were even correct. And you cover some of those in that book -- in the book, too. Is that a different way to say what you were saying?

Eugene Spafford: Yeah, I think so. I remember even 30 years ago discussing how a lot of what we did in security was tales around the campfire. [ Laughter ]

Rick Howard: Exactly right.

Eugene Spafford: And some of those tales were intended more to frighten than to educate. But we have grown so quickly as a field, the technological transformation is so rapid that sometimes our documentation and understanding has simply not been able to keep up.

Rick Howard: Well, I've definitely participated in those discussions because early in my career was fear, uncertainty, and doubt. That's how we all thought we would get money to fund our projects. And as I've gotten older and more senile, I realized that's probably not the way to go, that we should probably have a better way to describe what we're trying to do. And your book gives us all kinds of evidence and guidelines about how to do that, so I really appreciate that.

Eugene Spafford: Well, I think we had a very good writing experience together because all three of us have had extensive experience in the field, although in somewhat different areas, different perspectives. But it all came together really well that we basically agreed on approaches and some of what the most important points were.

Rick Howard: So it wasn't just your idea. It was all you guys coming together and say, "Oh, yeah. That's another one of these things we have to highlight." So is that what you're saying?

Eugene Spafford: Yeah, it was really a group effort. And there were a couple of chapters where I took the lead, for instance, the first chapter on what is security. Then there were others where each of them took a lead in writing the chapter, but all of us ended up contributing.

Rick Howard: So you organized the book in four big sections. You got general issues like cybersecurity definitions, products, and process. You got human issues like faulty assumptions and cognitive biases and weird incentives that we are all following. We have contextual issues like bad analogies, legal issues, and just myths about tools. And finally, we got data issues like probability and statistics, AI and machine learning. And I was wondering, out of all the myths you tackled in the book, do you personally have a favorite one, a pet peeve maybe that has been gnawing at you for a long time and the book gave you a way to get it off your chest?

Eugene Spafford: I would say there's two, really. And the first one was, as I said, Chapter 1, that we all have an agreed-upon definition of what cybersecurity is and what it's about, and that's simply not true. And that leads to all kinds of follow on difficulties with lack of metrics and misapplying tools and so on. The other is the canard that the user's the weakest link. And that is extremely annoying to me for a variety of reasons, primarily as an educator, in that people are really, potentially, our strongest element of protection, but we have to equip them with the knowledge and the tools and the authority to be able to assist in security and to just pick out the people who are trying to do their jobs, don't have the knowledge or don't have the tools, and blame them when things go wrong is a broken approach to how to get better cybersecurity.

Rick Howard: That's one of my biggest annoyances also. I can't believe we blame the user just because we haven't designed the compute systems and the security systems that are easy to use and secure to use. That just annoys the crap out of me. And for the first one you mentioned, too, the definition of cybersecurity, I get to talk to a lot of senior security professionals in this job, and you get any 10 in a room and ask them, what are they trying to do with their program? You're going to get two different answers because none of us have said what we think is the absolute first principle for what we're all trying to do to protect our enterprise. So I totally agree. Does that match with what you're trying to say there?

Eugene Spafford: In part, it's not only do we not know what it is we're protecting; we don't agree what we're protecting it against --

Rick Howard: And what's important, yeah.

Eugene Spafford: Why we're protecting it, how to allocate our resources appropriately. An awful lot of the people who work in cybersecurity are also just focused on the technology. So they don't think about some of the other issues of training and education, of psychology, of economics, of risk assessment, and law and policy, all of which play a key role. When I started CERIAS here at Purdue 25 years ago, that was a foundational principle. That for a very long time, we were the only place organized that was really pursuing that, where we said, it's not only the technology, it's got to be this ecosystem that has to be a part of the solution. And the book gave me an opportunity to add to that idea and help inject it in some other places.

Rick Howard: I was particularly pleased with your section called "Probability is Certainty." You mentioned a very similar example I've been talking about for years, that in introduction courses to probability and stats, professors often teach the basic concepts with red and white balls, you know, kept in bags of jars or jars. And you mentioned that this is the frequentist view of statistics, a view that you have to count all the things before you can do any kind of risk calculation. But I've learned over the years that there are problems where there just isn't any data yet to count, because the thing we are concerned about hasn't happened yet. You mentioned black swan events in the book. But as leaders, we might want to forecast their likelihood. You call that an "interpretation of statistics," which I love, by the way, that phrase. It's fantastic. I've been calling it the Thomas Bayes approach. You mentioned that although this kind of statistical inference uses math, it's not really math at all. And I'm wondering if you can help me understand that.

Eugene Spafford: Well, this part was really the -- I'd say the central authority on this was Leigh because this is her background. But the idea that when we talk about a probability measure is where we assume we have some baseline, we assume we have a population that we're able to sample to be able to talk relative to that population. All probability is relative to a population. But when we're looking at ongoing evolving processes, we can look at statistics. We can look at past occurrences and the future is open-ended. What we have to do is extrapolate forward. We have to use statistical methods to be able to look at that future, to be able to make some kind of predictions, maybe not exact. We may not have two decimal places. We may not have any decimal places. But we should be able to make some kinds of predictions based on enough data about the past or understanding of the potential for the future.

Rick Howard: So in that chapter, you all write that you use math to calculate probabilities, but the answers we're getting there is not really an exact math answer. It isn't like 2 plus 2 is exactly 4. You are making a guess, and everything I've learned about probabilities is it's a measure of uncertainty. So we may get a number there, but, you know, it's a forecast. It's not -- it's not a hard and fast rule like you were saying.

Eugene Spafford: Yes, and, in fact, it's possible to build statistical models where we label the output as, I'll say, red, green, blue, and we assign meaning to that. The reason we use numbers is that people are better able to compare those numbers for magnitude of likelihood, and we sort of gravitate towards that. But when we're really looking at trends where we don't know those exact numerical values, we can still make some predictions or some projections about what may occur.

Rick Howard: So the book is filled with all kinds of insight like that. And if you wanted readers to take one thing away after they finished it, what would it be to get through all those chapters of all those things? What's the big takeaway here?

Eugene Spafford: I think part of it is that this is a field that is more than just the ones and zeros and the computing parts of what they touch. That understanding security as applied to the realm of computing involves a lot more. It involves communication. It involves people. It involves questioning, folktales, and replacing that with acquired knowledge from other places. So the idea that -- yeah, you can pick up a book on how to secure your Windows registry or how to install a firewall to protect your IP stack. Sure, those are great technical aspects. But if you really want to understand security writ large, you have to have a more encompassing view, and that's also important for communicating with executives, policymakers who don't understand the technology but care about the security.

Rick Howard: So the book is called "Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us," published in 2023 and inducted into the Cybersecurity Canon Hall of Fame this year, 2024. Spaf, congratulations on this honor and thank you for writing this book for the entire infosec profession.

Eugene Spafford: Thank you so much. We are just delighted that people are finding it useful.

Rick Howard: I'd like to thank Eugene Spafford for coming on the show to discuss his book, the latest inductee into the Cybersecurity Canon Hall of Fame. It's called "Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us." If you'd like to learn more about this book, as well as the other books in the Cybersecurity Canon series, surf on over to the Ohio State University web page, the official sponsor for Canon Project, at cybersecuritycanon.com. And if you're attending the RSA Conference this year, see the CSO Perspectives show notes for times and places I'll be appearing. I would love to meet you. And that's CSO Perspectives, brought to you by N2K CyberWire. Visit the cyberwire.com for additional resources that accompany this episode and check out our book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics," for a deep dive on all the topics covered in this podcast. I've added some helpful links in the show notes, and we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and a review in your podcast app. And you can also fill out a survey in the show notes or just send me an email at csop@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment: your people. We make you smarter about your teams while making your team smarter. Learn how at n2k.com. [ Music ]