The Cybersecurity Bridge

Rick Howard, The Cybersecurity Canon Project

SiliconANGLE

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 38:03
SPEAKER_01

Hello everyone. Happy summer. Welcome to my podcast, The Cybersecurity Bridge. If you're one of the very few people on earth who's never seen my Cybersecurity Bridge podcast. What are you doing? Anyway, each episode is broken into three sections. In the first section, we talk about the present of a particular area of cybersecurity. In the second section, we talk about the future of that area of cybersecurity. And in the third, that's the cybersecurity bridge where we talk about how we get from the present to the future. Now we're not really going to talk about a specific area of cybersecurity today, but we're going to talk with a cybersecurity expert, an old friend, someone who's been around the block for at least as long as I have, Rick Howard. So Rick, please introduce yourself to the audience.

SPEAKER_00

Hey, John, it's good to see you again. Thank you for having me on the show. I am the uh bit like you said, been around for a long time, been doing cybersecurity for 40 years. I'm currently the CEO of the all-volunteer nonprofit cybersecurity canon project that I hope we get a chance to talk about a little bit as we have our discussion.

SPEAKER_01

Yes, we will absolutely include that because I was a founding member and now I'm hopefully going to be getting back involved. I love reading cybersecurity books. And speaking of cybersecurity books, Rick, are you ready to play cybersecurity trivia? Yes, let's do it. Let's see how good I am. All right. So the question is right up your alley, and I'll read it. What year was the first commercial book about computer security? Because it wasn't called cybersecurity back then, but computer security published. Was it 1970, 71, 72, 73, or 74?

SPEAKER_00

Whoa, I didn't know that we went back that far with uh computer security books. So I'm gonna go see 72 is the first paper, so it's gotta be after that. Let's go. Was it 74 an option? Can I go 74? Yeah, 74 was an option. Let me do 74.

SPEAKER_01

Oh, you were so close. So close. It was uh 1973, according to the research, the extensive research that my staff did in in uh preparation for this. What I found was the first paper was in 1970, produced by the Rand Corporation. Yeah, and the book in 1973 was uh called Security Accuracy and Privacy in Computer Systems by James Martin, who was a no surprise, was a professor. There was another one that year. And then in 1976 was the first uh popular book about cybersecurity, and I think that was more fictional. But anyway, let's I totally whiffed, John. I I should know that answer, so now I feel bad. Well, now you know. Put it that way, and it's and it's an esoteric fact. But so really basic question to start. What's your what's your um opinion of the current state of cybersecurity?

SPEAKER_00

Oh, I think that we are transitioning, okay, right now. Um, you know, you and I started back in the day, back when we didn't even know what to call it, you know, my first jobs were IT jobs and transition to security in the 90s. So uh, and we've been doing that kind of prevention uh mentality, I don't know, for 25, 30 years. Um, but as I've uh gotten old in my career, I think we are transitioning to uh agentic AI doing most of the grunt work and maybe changing our strategies a bit from prevention to something I like to call uh resilience. I don't know. What do you think it's gonna do?

SPEAKER_01

Well, you're the guests. Um no, I I think we are in a period of transition. I'm I'm um not leery, I'd say I'm cautious about this transition because I think there's a lot of in uh intransigence in our industry of people who feel like they followed best practices, they've gotten certain skill sets over the years, and I think that's all changing quickly. But I like your notion of moving to resilience. And so, what's your definition of resilience?

SPEAKER_00

Well, I mean, um, like you, John, like uh I've been doing this a long time, and uh, I've spent gazillions of dollars in various jobs that I've had um trying to defend whatever organization I was working for, you know, and the that manifested in strategies like zero trust and intrusion kill chain prevention. Um, and what I've learned at the end of my career here is that nobody had enough resources to actually implement those strategies to the fullest extent where it would actually do some good. Because it's really expensive, one to do either of those strategies, and then it's really hard to do well, all right. So um, even if you had the money, the only organizations that could actually get that kind of thing done were the Fortune 500s, and that leaves a bunch of us out in the cold, anywhere from startups to mid-sized organizations. So the alternative then is to find a more affordable strategy, which I call resilience. And this, what that means to me is that instead of trying to prevent the bad guy from uh getting in and causing damage, it is to try to survive the attack. All right, and what that means is the skill sets that we have that we typically use for prevention and intrusion kill chain detection are completely different from what resilience would be. Resilience uh skills are backups and restores and mean good at crisis management, which doesn't really overlap at all with the other ones we used to do. So um when I so to answer your question specifically, resilience is being able to survive the attack, not just prevent it.

SPEAKER_01

So historically, I would say uh well, I totally agree with you, but historically, I think that the philosophy was well, we know we can't do everything, we can't protect every asset, we can't respond to every alert. So we're going to go with a crown jewels type mentality and just reduce the attack surface, really understand what our critical assets are. Why doesn't why doesn't that work anymore? Does it work but not well enough?

SPEAKER_00

I'm not sure it ever worked very well, all right, because we can never, even if you identify the I call them, you know, you called them the crown jewels, I call them material assets, right? Because why would you spend money on uh systems that aren't material to the business? So call them the ground jewels if you like, right? But that kind of thing never really uh helped us. And it and if you read the headlines on any given day, you can see the attacks keep coming. Um, and so uh in the early days, like you know, John, uh we couldn't, but you know, companies uh um could not admit to the public that they got hit by hackers because they thought their reputation would go down and it would affect the stock price somehow. Uh we have gotten beyond that in our industry. You know, people get hit all the time, and yes, stock prices might go down a bit, but they go right back up again. So reputation loss is not the big thing that we used to think it was. And so, therefore, prevention and detection schemes maybe not are the most important. The idea is to keep the business running, right? So that your customers don't even know that it, you know, the attack happened. Not that you're trying to hide it from, but it's uh we can switch over to working systems that keep the business running uh and not even you know breathe too hard. So that's where I think we should go.

SPEAKER_01

Um, so you and I have talked about this. Uh, I worked at a fly by night optical networking startup back in the early 2000s, and we worked a lot with, well, when we caught BISTIS, we worked a lot with um the Wall Street banks. And so they were very good at business continuity, disaster recovery, BCDR. They would mirror their transactions between Lower Manhattan and either New Jersey or Brooklyn, and they had this down and they were regulated to do so. That was 25 years ago. So why was that why is there a disconnect between doing that for financial transactions and doing that um you know against force majeure type of activity versus cybersecurity? Where did we m miss that connection?

SPEAKER_00

Well, uh, I think, and you can correct me if I'm wrong here though, but uh um our peers looked at what the people behind us did and just kept adding on. And the first things we started to do was try to defend, block bad things from happening. The uh crisis management stuff, the backups and restores that you were talking about never really fell on the cyber teams, never on the defensive teams. That was you know, somewhere else, maybe on the IT side, or maybe if you're big enough, you had an organization that did um, you know, force major kinds of things. So it was never in our uh bailiwick to be responsible for that. Um, and so we let other people do it. And uh, I think that was the disconnect. We just kept looking at what the previous guy did and took the next step. We never stopped to think about what we were trying to accomplish in the first place. And by the way, John, I uh that has been a huge mistake for us, right? When you talk to uh all of our peers, okay, we we are always deep, knee deep into tactics. You know, uh here we should stop this uh exploit from happening, we should stop this malware from happening, but we never stop and ask ourselves what are we trying to accomplish with our InfoSec programs? What is the overall goal? I call them first principles. Um, I even wrote a book about it, right? And uh I think I know what it is these days, but my my criticism of our profession is that we have not taken the time to think about that in any kind of depth or gravitas.

SPEAKER_01

Yes, and and I would add, um the the difference to me is that those mirroring transactions at business continuity disaster recovery was a business initiative, and cybersecurity has always been thought of as a technical initiative. So my question there is has cyber resilience um percolated or come up to the boardroom level, or are we still kind of viewed as a technical stepchild?

SPEAKER_00

I still think we're a technical stepchild. Um, and it's our own fault, too, by the way. My peers, my me to include myself, for some reason, we decided to make uh cybersecurity so technical and scary that we should be put off in our own little silos to do things. In the early days, we did not make ourselves invaluable to the business, right? Uh the business leaders knew we should do something, so they handed it to the IT and security guys, but they did not insist that we uh improve the business posture uh in by some measure, right? And that is our mistake. Okay, the people that come behind us uh are now starting to figure out that we need to be valuable uh to business operations to actually reduce risk to the business. Now, I haven't seen wide adoption of resilience as the next thing we're all gonna try, right? But it is the next logical thing that we should try, right? And probably easier to do. Okay, so um that might that might help us down the road.

SPEAKER_01

Yeah, look now. Let's transition to the future. And so I'm gonna read from your book Cybersecurity First Principles, you say that the goal is to reduce and uh correct me if I'm wrong, but reduce the probability of a material impact due to a cyber event uh over the next business cycle. Yeah. So uh as you look to the future, uh and and I know you like to parse that sentence, so please do, but as you look to the future, what can we expect from things like AI, from regulations, from the business getting religion on cyber resilience? What can we expect in in um facilitating that statement?

SPEAKER_00

Well, uh the reason I wrote the book is because uh um everybody, all my peers that I've talked to, I couldn't get them, we couldn't all agree in what we were all trying to do, right? That which doesn't, which is just weird, and then that uh yeah, we all are different, we all have different verticals, different sizes. But uh uh if you were talking in terms of first principles, shouldn't we all agree that we should be doing the same thing? And so it got me thinking about what would be the absolute cybersecurity first principle. And you just read it, like you said, it's three pieces. Um, and the first one is reduce the probability, um, meaning that you have to know what the current probability is, and our industry really sucks at that. We don't know how to, as a group, we don't know how to do it. Now, there are ways to figure that out, and I wrote about it in the book, and there are other methodologies like the fair methodology that a lot of people use, right? But as a group, we are not very good at thinking in terms of probabilities. The second piece of that is only worry about material things. We were talking about it before, right? Why would we worry if the bad guy stole the lunch menu from the company cafeteria and exfiltrated it out to the command and control center in Tajikistan? You know, yeah, it's a little embarrassing, but uh maybe we don't call the FBI for that one, right? And then the third is have a reduced time frame. Because if you just say, what's the probability that we'll get hacked sometime in the future? Yeah, that answer is probably, you know, yes, somewhere down the future. But if you're trying to forecast the probability in the next say business cycle, that's a different number, right? And absolutely possible to do. So that's the background for the first principal statement. Now I forgot what your question was. So what am I supposed to be answering?

SPEAKER_01

What did so as you look at that statement, um, think about the impact of AI, the the impact of pending regulations. What's what are the big drivers of change there?

SPEAKER_00

Uh I think is uh um automating that calculation is so much easier than it was 10 years ago when we were all trying to do it with spreadsheets and and pencils, right? Uh it is pretty easy now. Uh to we understand the calculation, okay, to calculate what the probability is. You can actually get that number uh off of public intelligence reports. Um uh there's a great book, John, that's in the Hall of Fame. It's called the Super Forecasting. Um, and it's by uh Dr. Tedlock. And he was kind of an old curmudgeon back in the 2000s who worked for the Intelligence Advanced Research Project Agency, kind of like DARPA, but for the intelligence community. And you know, and he would look at the news shows uh on TV, you know, Fox and CNN and MSNBC, and those shows that always bring on panelists who predicted something once correct in their career, but had been wrong ever since, you're right. So he would kind of shake his fist at the TV and said, Why do they have these losers on here? And I always thought that there should be a Chiron at the bottom of the screen that said, you know, this guy's one for 37. Maybe not pay attention to what he's talking about, right? So Tedlock does an experiment. Uh, he gets three groups the intelligence group, the intelligence uh analysts, academia, and a group I call the geezers on the go. These are just old people that had uh time to solve puzzles, and it gives them 500 really difficult uh forecasting problems, like will the president of Syria get assassinated in the next year? And then he grades them over time, and the group that wins that competition are the geezers on the go, right? They beat the intelligence analysts by 60%, uh, a group that had access to classified information, right? But that's not even the important finding. The important finding is inside the geezers was another group that he called the super forecasters, who beat everybody else by another 60%, right? And proved that it is possible to make forecasts about really difficult problems with many different variables that seem so impossible to solve, kind of like cybersecurity. So it is absolutely possible to calculate that number. And now with a gentic AI and which is uh artificial intelligence tools, it's pretty easy to do that on the fly, right? So that's gonna be a feather in our cap as we move forward.

SPEAKER_01

Are you seeing practical solutions in that area? Because I certainly it makes sense, and I'm sure there's mathematical uh proofs that you could do that if you know your assets and you know who accesses them and uh what what uh data's on them, and you know what the bad guys are doing, et cetera, et cetera, you can come up with a pretty good risk number. Is anyone and without promoting anyone, of course, but um is are you seeing actual progress there, or is it still in the rhetoric and innovation or um development stage?

SPEAKER_00

It's past the rhetoric stage, and there's a handful of people doing it for real. All right, you know, uh a couple of insurance companies are adjusting their coverage based on how well risk is uh captured with their clients. There are field C uh uh field S uh contractors, CISOs that are kind of doing it as their as their way to show value to their uh potential customers. So so it's more than just slide decks, uh, but it's still just a handful of people. And that what I what I am predicting is that because of AI, it's so much easier to build these things yourselves. That I predict that that will be a tool that most senior security professionals use when they are breeding boards and senior leadership.

SPEAKER_01

Yeah, I think so too. And it makes sense that if you can do that, then you can link that to an AI agent that would look at that and turn the knobs, uh adjust your controls, write new detection rules or detection logic, etc. Um, is that what you're saying?

SPEAKER_00

The big epiphany, John, was for me, was that you know, I hear probability and you think math, and oh my god, it needs to be very precise, very accurate, talking about five nines of precision. And just because, you know, that's how that's how we were trained, you know, going to college and stuff. But it turns out I don't need five nines of precision to make the decisions I'm trying to make as the senior person at a company. I just need ballpark precision, good enough precision so that I can decide if I need to buy the new firewall or not, right? So I don't need to have five nines, I just need, you know, you know, it's close enough, right? And it turns out that there are public information, and I'm gonna highlight one company that I really like. It's called Scientia. They deal in these kinds of calculations and they publish public reports that you can just grab and take a look at. You can say, you know what, for our industry, for the size of revenue we bring in, here's what the number is, right? And it's you know, uh you can just look it up and start from there. Uh, that's a pretty good thumb down uh probability that you can use to make some decisions with it going forward.

SPEAKER_01

And I mean, this is this is a tough question to answer, but I'm gonna ask it anyway. Is if you knew, so say you're the CISO of a large organization, uh if you knew uh within reason what that probability was, uh, what your risk factor was, are there particular knobs that stand out that you would turn, or is it situational?

SPEAKER_00

Um, you know what we're finding is that it's a top-down approach. Right? You're a lot of people like to start from the bottom up and say, you know, if we add this control, we can reduce our risk, then add the next control or reduce our risk. Okay, but what happens is they start to find that they don't get that much bang for the bunk by doing it from the bottom up because there's only so much risk you can relieve, right? Um, but if you start from the top down, look at that top number. Like, for example, financial organizations, according to Scientia, they have generally have about a 20% chance of being hit by some material event in the next year or so, right? They can then add top-down controls like uh identity and access management, let's say. And if they make that program mature, they can drop that percentage down by two or three points, maybe even four or five points, right? And the the thing that's hard to understand is that that is not infinite because you're never going to get it down to zero. There's always going to be some risk because you know, bad guys figure things, figure things out and get around your prevention controls, right? But you're gonna start something with big things, and that's about as good as it's gonna get, and that's probably okay. Does that make sense?

SPEAKER_01

It does make sense. You you Certainly at a certain point you have to accept the risk. Yeah. But you want to do that at an acceptable level. And certainly, if you're getting cyber insurance, um, an underwriter or an inspector is going to, or even an auditor is going to help you get to that point. Um, but you have to have some judgment. And after a while, you're throwing throwing good money after bad.

SPEAKER_00

Yeah, you know, they're you can get the stat off the internet, but uh, you know, Fortune 500 companies, depending on who you ask, uh, they average about 64 security tools in their security stack in their deployment across the enterprise. 64 tools, right? And you you start when you start thinking in terms of probabilities, you know, if you put the first, say, 12 in, that might reduce the risk significantly. But as you start putting in the next 12, you're getting incremental risk reductions. And by the time you get to 64, you're it's probably not worth the money you're spending, all right, to get the risk reduction that you're trying to get. So it's just a way to talk about these kinds of um uh resource decisions, you know, in terms of people, process, and technology with senior leadership and the board.

SPEAKER_01

Yes, and that's a great segue to the cybersecurity bridge, how we get from here to there. Because what you're suggesting, I think, uh reminds me, I mean, uh we've been programmed as security people to think in terms of categories. Yeah, analysts do this, but uh our practitioners do it too with budgets and with skill sets and with uh hiring and everything like that. And it's likely that our our agents are going to have multi-function coordination. So do you see uh I I don't know how to I don't know how to ask this, but is there a new CISO mindset that has to take place? Is there any kind of training? So what do we have to anticipate as we break these categories?

SPEAKER_00

Yeah, I um I you know, the big everybody's worried that you know, artificial intelligence and agents are and you know, we've all heard the news uh headlines about mythos and you know, it's the internet apocalypse and all of that. Um, and yes, I think in these next couple of years, there's gonna be some significant disruption. But you know, those software tools work both ways, right? If if I'm uh in charge of my infasec program at any size organization, and I can leverage that to better protect my organization, to implement the strategies that I've decided to roll out, whether you're still doing zero trust or intrusion kill training, or you're moving to resilience, um, that's gonna be in our favor that we can automate that stuff with a gentic AI and uh be on par with the bad guys are using that to try to defeat us. So, my uh estimate here is for the next couple of years, there's gonna be a lot of chaos as we try to figure that out. But I think we're gonna level set, okay? It's gonna go back to like it is now, but both sides using artificial intelligence to do that. What that means for people like me and people like you is we got to get our hands around how do you manage identic AI in the security uh posture of your organization. Um, it's way more complicated uh than we think. Uh and if you're not playing with that stuff right now and trying to get your hand around it, uh you're gonna be left behind in the dust.

SPEAKER_01

Yeah, so one of my fears, Rick, you kind of hinted at it, but I'll build on what you said. Yeah, I'm a large enterprise with 64 tools. That means I have 64 vendors who are gonna offer me agentic solutions. Yes, they are. Those agentic solutions are gonna uh um complement each other in some ways, but uh uh bite with each other in other ways. And uh so I think you're right, you have to go in with your eyes open and understand this. And what I saw at RSA was I I I kind of characterize it as a a third, a third, a third. A third of the C ASIOs I spoke to had their eyes open. They went there with their uh engineers and architects. A third went in with their eyes half open and said, This is changing, but I have no idea what to do. And a third said, I'm I'm too small, I don't need to worry about this. Ah, that's typical. Yeah, that's very typical of us. It's historically that was always true, but um, I think things are moving so quickly that you there's a wake-up call around the corner for everyone.

SPEAKER_00

Well, let me give you the Pollyanna way you could go. When it turns out that everything works perfectly, right? Which what I would like to see. So if I have 64 tools in my enterprise and a new adversary campaign from Wicked Spider rolls out, we can collect that intelligence. And in the past, before we've had an AI, someone manually had to go through and figure out all the controls that we were gonna turn on to prevent Wicked Spider from being successful, and so that's a really manual process, really hard to do. We've said for years that we'd want to automate that, but nobody really has. When we get to the perfect world, John, we're gonna have agents that say, here's the new intelligence on Wicked Spider. Here are all the controls we can absolutely deploy, and it's getting to figure out what control to turn on for all 64 tools in an instant, right? So that's the Pollyanna way you could go. Um and not the the apocryphal uh we're all doomed because the AI is gonna screw everything over.

SPEAKER_01

Yeah, but no one will sell anything if it's Pollyanna. So no, that's true. That'll be yeah, everything will just work perfectly. Yeah, with no problems, yeah. Yeah, no standards issues, no bad.

SPEAKER_00

No compliance issues. No one's gonna get blamed when the agent turns off everything by mistake, you know, nothing like that.

SPEAKER_01

So let me not a contrary view, but uh one of the things I'm finding is that there's so much hype about AI feature functionality, and there's not enough talk about data. And so, like for instance, I've been doing a deep dive on threat intelligence, and there's this notion that threat intelligence is a commodity, and it's absolutely not. And I'm I'm just wondering if you're seeing that or are you seeing people really recognizing that or no?

SPEAKER_00

I haven't seen people recognizing it as it's a commodity. Um, although I agree with you that what we see in the um in the public space, it feels like it is. Um, threat intelligence has been I've been a threat and tell guy for my entire career since you know since I was in the army. We have never transitioned to automating that process. It's all still hugely manual, which I which is incredible to me at this point in 2026, that we still have analysts. Uh, you know, they have tools that help them sit through the data, but you know, to make conclusions, it's still mostly manual. Um, the future, the shiny future is that we can automate most of that grunt work with these AI agents and turn it away from very interesting Intel that we can make decisions with, which by the way, that's what the Intel teams are supposed to give you: a way to make some decisions, not just give you reports about how bad things are, you know, what bad things are happening. Um, I kind of rambled there. Am I in the right ballpark for answering that question?

SPEAKER_01

You're absolutely in the right ballpark. And uh I think I mean I just posted on LinkedIn about this yesterday, is like garbage in, garbage out, uh, and the models are only as good as the data that you give them. So we have to focus on that. I think there'll be like if you are a security data engineer, your future is bright. You will have lots of opportunities.

SPEAKER_00

Yeah, and I and I think that if you are embracing the AI models now uh in learning how to make them the most efficient, that's where you're gonna, that's where you're gonna progress in your career. All you all the junior level and mid-tier people that want to move up, they should be focusing on understanding how that all works so they can provide value to their organization. Uh, that's the advice I would give.

SPEAKER_01

Yes, one one vendor I work with calls it human augmented autonomous stuff. And I and I I I mean there's a lot of words there, but it it it does communicate the right message. So I'll ask you one more question, then I want to talk about, uh quickly talk about the cybersecurity canon. But one other question is um for cyber resilience to work, it has to be embraced by the executives. And I saw this one statistic that some companies are establishing KPIs for cyber resilience. I'm not sure that I buy widespread um KPIs for cyber resilience yet. So uh what do the executives have to learn, or or are they learning it in your experience? Uh the lessons on cyber resilience.

SPEAKER_00

Yeah, I I we're not there yet. Executives uh first cyber executives don't really understand the magnitude of what has to happen here. And that therefore that means that senior staff and board members don't get it either. What I'm talking about here, when I say resilience, and I said, yeah, backups and restorers should be some of the things we're really good at, but we need to be really good at backups and restorers, meaning push button efficiency to say this uh Google Cloud instance is going to be shifted from uh North America to Singapore, okay, in an instant, right? And it's not that we just try that every once in a while. We're practicing that every day, right? That we are so good at that that it nobody even breathes hard when it actually has to happen. This is an area called uh chaos engineering, it's been around for about 15 years. Uh, Netflix made it famous uh when they transitioned from being a mail your CDs to the um to their customers to being a streaming service. They on purpose uh had uh designed things so they make sure that nothing would fail and everything would keep going uh whenever there was a problem. And I get to still keep watching, you know, The Witcher on Netflix, and I wouldn't even notice that they had an out, you know, an outage. They made it famous. Uh, there are a number of books um that are out there that talk about that, but it it is still a niche in our community. And by the way, not embraced by the security community. It's still over on the IT side, still on uh the operational side. And um, I think that's a mistake. It should be embraced, we should own that kind of thing.

SPEAKER_01

Yes, I've noticed over the last 10 years, um, people who are really smart that I follow would say we need to transition from um security people who are reactionary to ones who know coding and engineering. And I think that really hints at what you're talking about. But let's let's talk a little bit about the cybersecurity canon. I participated way back when, hopefully, I'll be participating again. Just describe what it is because I think it's one of the most worthwhile projects in cybersecurity, um, but it's not as well known as it should be.

SPEAKER_00

Yeah, one of my uh yeah, it's not as well known. So thank you for giving me the opportunity to talk about it. Uh, like you, John, I'm a big reader of books. And uh uh it when I was the CSO at Palo Alto Networks, one of my jobs is to go around and talk to customers. And I noticed that my peers had stopped reading books. And there's lots of good reasons for it, all right, is mostly because our field changes so fast, and there's so much information out there that the natural tendency is to try to consume as much as possible. So instead of reading a book in total and trying to learn from it, uh, you are reading summaries of books. Uh instead of listening to a podcast, you're uh listening to the podcast on triple speed because you're just trying to keep up. And it's counterintuitive, right? That if you want to learn something new or relearn something that you thought you knew, you have to slow down. You have to kind of wallow in the material. And I still think the book is the perfect vehicle for when you're trying to do that. And I when I say book, I mean hard copy books, kindled books, audiobooks, whatever it is. This container of information is usually a the life experience of some expert on what you're trying to learn. So I got this wild hair about 10 years ago, and I said, you know what I'm going to do is create the rock and roll hall of fame for cybersecurity books. And I reached out to you, John, that said, come on to the committee, you read the books, write reviews, and make the case that a book you're reading is either a Hall of Fame book, meaning if you haven't read it yet, there might be a hole in your education, or it's a niche book, meaning it's a great book, but not everybody in the community has to read it, like it might be a book on SCADA. Still a great book, but not everybody has to read it. And the third category and the service we give to the community is do not read because there's lots of crap cybersecurity books out there. And if you're gonna take time to read one, maybe don't read a bad one. So the vision of the uh Canon, all volunteer nonprofit cybersecurity canon project is to be the first source for curated and timeless cybersecurity wisdom. Not the only source, but the first source. Our mission is to find the books that you should read to enhance your career. And we've been doing it for 10 years. We got about 50 books in the Hall of Fame. Um, there are 50 members on the committee. And John, you're coming back to help us. Uh, you're one of the first people we re out we reached out to when we started this. It is much more mature now. We're glad to have you back in the fold. Thank you, Rick.

SPEAKER_01

It's it's nice to be back. And I'll just add two quick things. One is there's no sense of history in what we do. And that's beyond security. That's IT. Like you talk to young IT people, they have no idea who digital equipment was or even some microsystems. So you get that sense of history. The second, and I always say this when people uh from outside the industry say, I want to get into cybersecurity, I say start by reading fiction, figure out what's interesting to you, and then go into the specifics, and the and you can absolutely um get a guideline to do that by looking at these books. So, Rick, we've come to the end. Sadly, we've come to the end of the podcast. Uh, I could talk to you for hours and hours and hours. But um, the last question for me is what's the one piece of advice you'd give our audience, cybersecurity professionals, CISOs, what have you, uh, that should be their takeaway from this podcast?

SPEAKER_00

What I've learned in my career is the most valuable skill that I've developed is not being the smartest person in the world on cybersecurity or anything like that. But the skill that you need to hone is being able to communicate what you know to people who are really smart but don't know what you know yet. Right. And you know, being able to tell a story to senior leadership and to board members so that they can make an they can understand what you're dealing with and make some decisions at the very top level, right? If you can do that, okay, that is a skill set that will help you wherever you go, but especially in cybersecurity.

SPEAKER_01

Sage wisdom to end the podcast. I'm smiling, Rick. I've been smiling most of the time when you were talking. So I truly appreciate you being on my podcast. Thanks again. Thanks, John. It's good to see you. And um, I'm glad to have you back in the Canon Fold, sir. Thank you. It's good, like I said, it's great to be back. And for my audience, thanks for listening and tune in in another couple of weeks for the next edition of the Cybersecurity Bridge podcast.