"The beginning is the most important part of the work"
Cybersecurity often feels like an endless list of chores: update your passwords, watch out for phishing emails, and keep your software current. But why do we do these things? Which things matter more than others? To build a strong cyber defense strategy, we need to start with a "first principle."
What is a first principle?
A first principle is a basic, foundational truth. It is a starting point that cannot be deduced from any other idea. In math, a first principle might be that 1 + 1 = 2. In modern philosophy, Descartes famously boiled it down to “I think, therefore I am.”
In cybersecurity, a first principle acts like a compass to keep us pointed in the right direction. It helps us decide which safeguards to implement, which tools to use, and which rules to follow. Without one, we are just guessing.
The first principle of cybersecurity
According to the book Cybersecurity First Principles: A Reboot of Strategy and Tactics by Rick Howard, the absolute foundation of everything we do is this:
Reduce the probability of material impact due to a cyber event over the next three years.
That sounds like a mouthful, so let’s break it down into three simple parts:
Reduce the probability: We can’t make the risk of a cyberattack zero. That’s impossible. Instead, our goal is to make it as unlikely as possible that a successful attack happens.
Material impact: This refers to damage that actually matters. A tiny event that is immediately resolved isn't a big deal. A "material" event is something that costs a lot of money, leaks private data, or stops an organization from working. We focus our energy on stopping the big problems.
The next three years: Technology changes fast. And we only have so much time and money. We can’t plan for twenty years from now, but we can’t just look at tomorrow, either. Three years is a manageable window to plan and budget for, and measure if our security plan is actually working.
Why this matters for you, the defender
When we agree on this first principle, cybersecurity becomes less about a never-ending news cycle of nation-state hackers and ransomware gangs, and more about clear goals. If a security tactic/tool/control/safeguard doesn’t help us reduce the chance of a major problem in the next few years, we probably don't need it. if you are spending time and money on something that doesn’t have a direct impact on this first principle, you’re wasting resources.
Every insight and guide you read here at Sensible Security will stem from this one idea. We aren't here to give you random tips; we are here to help you follow this first principle to keep your organization safe.
There is no destination endpoint in security. It is a continuous journey. Welcome to it.