What is the First Principle of Cybersecurity?

In a recent conversation with Rick Howard, Chief Advisor to The Cyberwire, Cybersecurity author and distinguished veteran, he shared the ethos that drives his latest book "First Principles of Cybersecurity" (https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/1394173083/ref=sr_1_1?keywords=rick+howard+cybersecurity&qid=1689342437&sr=8-1). In this outstanding contribution to our field, Rick brings the practice of cybersecurity back to basics. In Rick's words, it starts with the very first principle:

“The First Principle of cybersecurity is to reduce the probability of a material loss due to a cyber event over the next three years”

The book and Rick's Principles serve as an important reality check for all of us as cybersecurity professionals. It follows from this fundamental principle, to inform the basics of cybersecurity practice:

• How should cybersecurity effectiveness and progress be measured?
• What cybersecurity initiatives and efforts can best target risk?
• At the level of the First Principle's reference to "probability", how do we go about understanding probability? Is it the same as "likelihood" (the basis of many legacy cybersecurity risk management solutions), or is it real probability (a mathematical construct, far different form "likelihood").
• How should we go about applying this key principle in practice?

These are important and fundamental guideposts that Rick highlights for the way forward in Cybersecurity as we continue to advance our practices and methods, and as we continue to mature as a profession.