A Board Presentation on Cyber First Principles
The Board's Role is to insist on Material Risk Reduction
Right now, boards are approving millions in cybersecurity spend every year without knowing if it actually reduces risk.
I run a small consulting service called First Principles Consulting where I advise clients on cybersecurity strategies that buy down business risk.
Last week, I briefed the board of a large organization in terms of revenue. The board secretary asked me to talk about my book and how it applies to board oversight.
Further, she wanted me to give an overview of the Mythos platform and recommend how the board should think about this latest cybersecurity threat. I had 20 minutes.
Here is what I presented
Let’s be a Bit Controversial
Business leaders and board members let security pros like me get away with Fear Uncertainty and Doubt briefings for three decades. I call them FUD Briefings
I’ve been in the cybersecurity field for over 30 years. I’ve spent gazillions of dollars pursuing the accepted industry best practices of the day just like everybody else. But about 10 years ago, I had to admit that I really couldn’t tell my organizational leaders whether or not I had actually improved our defenses in some meaningful way; that what I was doing actually helped the business by improving its risk posture.
Oh, I collected the technical metrics by counting all the security things. I produced big and scary looking heat maps to justify additional funding for the next perceived threat. And The Heat Map slowly became the industry standard for conveying cyber risk to leadership.
But, I mean, just look at that chart. Those are adjectives, feelings. They don’t represent facts about the business. And if the “critical” label in the top right corner wasn’t scary enough, we color coded it red just to make sure you didn’t miss the point.
How do you make resource decisions based on feelings? It’s like saying we should buy the next firewall because they’re fluffy. That doesn’t make any sense
When my peers and I get together behind closed doors, you know, at the bars, on the side streets near the conferences we were all attending, we unabashedly call the Heat Map the FUD briefing.
Looking back over my career, I’m a bit ashamed that I did that; that we all did that; that board members and senior staff let us get away with it. More importantly, I’m embarrassed that, back in the mid-1990s, just after we invented the CISO job, my peers and I somehow convinced business leaders and board members that cybersecurity risk was special; different than all the other risks that the business had to deal with.
We said that cyber risk was so distinctive that it required special handling compared to all the other business risks like strategic, financial, operational, etc; that cybersecurity risk was so technical and scary, that it couldn’t be thought of in the same business risk terms.
We were wrong, of course.
But we made business leaders believe it and, by the way, business leaders let us get away with it.
A Reboot of Cybersecurity Strategy
Don’t get me wrong. The cybersecurity people-process-technology triad did improve. We got better at what we were doing. We just never stopped to consider if we were going in the right direction in the first place. Most of us couldn’t even articulate a direction at all other than we need more stuff, and we absolutely couldn’t tie our efforts back to measuring business risk.
It occurred to me that what we needed was to wipe the table clean. Get rid of all of our assumptions about what works and what doesn’t. Eliminate all the frameworks and compliance standards and start from scratch. This, of course, got me to thinking about the idea of first principles.
I looked at the historical big thinkers, the philosophers, like Aristotle and Descartes. Descartes, perhaps the GOAT of first principle thinking with his
Cogito Ergo Sum - I think, therefore I am.
I looked at the mathematicians like Whitehead and Russell who reinvented the language of math from the ground up when they realized that you could get two absolutely correct answers to the same problem using the existing set of math rules. It took them 80 pages to prove that 1 + 1 = 2. And in my favorite footnote of all time, the authors said, and I quote,
The above proposition is occasionally useful.
Who knew that math nerds could be funny?
I even looked at Elon Musk and how he solved the problem of reusable spacecraft. He didn’t look at what NASA did in the 1960s and took the next step. Instead, he threw everything out and started from scratch with first principles
These big thinkers, and many, many more, tackled gigantic complex problems by reducing them to first principles first, and then reasoning outward from there.
First Principles are atomic. They are the foundation for everything that follows. They are the absolute “What” regarding the thing we are trying to achieve reduced to their essential essence. Once you find them you can’t break them down any further
Cogito Ergo Sum- I think therefore I am.
Which made me wonder, what is the absolute cybersecurity first principle?
The Absolute Cybersecurity First Principle
I won’t bore you with the many iterations I went through, but three years ago, I published a book where I made the case for what I believe is the absolute cybersecurity first principle. Here’s it is:
Reduce the probability of a material cyber event within the next business cycle.
That’s it.
It seems simple. It’s no longer than a Twitter line. But in practice, it’s quite complex. It’s actually three things.
Reducing the probability.
Worry about material business impacts only.
Forecast within the current business cycle.
In order to reduce the probability, you have to calculate the current probability. As an industry, we’re really quite bad at this. Most of us avoid the question because calculating it seems hard. There’s math involved, and probabilities. Because of that, we think we need five nines of precision and accuracy. Most of my peers think that this kind of quantitative analysis is impossible in the cybersecurity space.
So we punt and give business leaders qualitative analysis in the form of heatmaps. And by the way, there are reams of scientific papers that have proved, over and over again, that heat maps are just bad science when it comes to conveying risk to senior leaders (See the Hubbard and Seiersen 2018 Cybersecurity Canon Hall of Fame Book, How to Measure Anything in Cybersecurity Risk or my summary of it in the Resources section below).
The thing is, you don’t need that kind of detail; that five nines of detail. You’re looking to make business decisions to buy down risk. What you need is good-enough precision and accuracy, ballpark precision and accuracy, in the same order-of-magnitude precision and accuracy, so that a business leader can make a decision about whether to buy the new firewall or not, whether to hire that new SOC analyst, or whether to implement that new access management policy.
Calculating that probability can be done and I talk about how to do it in my book. And this is what it might look like for this large company.
This is a first draft Loss Exceedance Curve that forecasts the probabilities of dollar loss thresholds over the next year. This is an outside in forecast, meaning, that it doesn’t take into consideration any of the generic company’s deployed defensive measures. This forecast only considers the general case. What is the probability of a material loss to any institution of the same size and vertical in terms of revenue. If we factored in their deployed infosec program, these numbers would most likely be two to three points lower.
For example, in this outside-in-analysis, the probability that this generic company might lose a million dollars in the next business cycle is 6%. The chances that it will lose more than $100 million is just .65 percent. That brown dot represents the generic company’s material loss threshold. I made an assumption that any loss less than 2 Million would hurt but it wouldn’t be material to the business. But anything greater would be. The probability of that event is just 5.54 percent.
Here’s my point: wouldn’t you rather see a loss exceedance curve, built on concrete business data and explicit ranges of uncertainty, that estimates the probability of a material loss within the next year to the right order of magnitude, rather than qualitative Heat Maps and their fluffy adjectives?
The bottom line is this: If we can’t estimate the probability of loss, then every cybersecurity investment is effectively a guess based on feelings and fear. We can do better than that and I believe boards can provide the guidance to get us there.
First Principle Takeaway
Thinking in terms of first principles reduces cybersecurity to its essence: What is the probability of a material cyber event in the next business cycle. This focuses the entire activity towards business goals. It gives senior leaders and board members a path to weigh cyber risk against all the other business risks and to evaluate if the spend is worth the investment. First principles turn cybersecurity from a cost center into a capital allocation problem. Once you define probability, materiality, and time, every dollar you spend can be evaluated against how much risk it actually removes.
Mythos: Vulnerability Discovery and the Burglar Metaphor.
Recently, Anthropic, one of the big AI companies, announced a new product, Mythos, and it’s restricted access program, Project Glasswing. Security professionals have been reacting to Mythos the way the world reacted to ChatGPT in 2022; stunned by what it can do and uncertain about what comes next.”
Mythos is Anthropic’s highly capable AI model designed for cybersecurity tasks, especially vulnerability discovery and exploit code development. Because of the potential danger, Project Glasswing is Anthropic’s program to only allow access to a small selection of vendors and infrastructure operators. Mythos isn’t available to the public. In order to understand the significance of this new development though, I like to use a metaphor to explain the difference between software vulnerabilities and exploit code.
Think about securing your house from intruders. Nobody’s house is burglar proof. You lock your doors and windows, you subscribe to a security monitoring company, and you have two big dogs that mostly sleep in the living room but you claim that they’re your watchdogs. But, there are weaknesses.
You chose cheap locks, and sometimes, you forget to lock the windows when you go to bed. You put the dogs in the Kennel at night. Nothing bad has happened yet. You just know that there are certain vulnerabilities in your system.
The same is true for software. Developers sometimes write code that has inherent vulnerabilities built in. They either made mistakes when they were writing it or they didn’t follow the standard rules designed to prevent such things. Hackers, in contrast, write exploit code designed to leverage a specific software vulnerability.
In our house metaphor, a burglar walks up to the ground floor window in the middle of the night, notices that you forgot to lock the window, opens the window, and climbs into the house. The burglar has exploited the vulnerability. When hackers launch an exploit at a piece of software, they are looking to climb in a software window; to gain access to a system on the victim’s network. There is an entire portion of the cybersecurity industry dedicated to finding software vulnerabilities and getting them patched as quickly as possible so that hackers can’t do this.
Why is Mythos Significant
Before Mythos, the process of building reliable exploit code was extremely manual and expensive. Governments would pay anywhere from tens of thousands to over a million dollars for reliable exploit code, depending on the target (Source: Perlroth). It’s the reason that hackers only use exploit code in less than 20% of their attack campaigns (Source: 2025 Verizon DBIR). Most hackers can’t afford to pay for the exploit code development or don’t have the skill to build the exploit code themselves. Besides, there are far easier ways to gain access to a system then running expensive exploit code.
The reason that everybody is talking about mythos is because, among other things, it has greatly reduced the cost of developing exploit code. In the same way that large language models like ChatGPT, Claude, and Gemini are significant in the way those models can summarize large quantities of text relatively quickly, Mythos can scan software repositories, identify potential software vulnerabilities, and write exploit code that leverages those vulnerabilities in a fraction of the time our previous manual process required.
Restricting access to Mythos through Project Glasswing buys time, but not much. The underlying capability, scanning code for vulnerabilities and generating exploit code, already exists across competing AI systems. None of them have a purpose-built tool like Mythos yet. They will. And adversary nation-states like China and Russia almost certainly have this capability already. They're just not publishing press releases about it.
I have an old friend of mine who still works in the NSA. This past weekend, we met for breakfast with a bunch of old Army guys and Mythos was the conversation topic. We asked him if the NSA already had this capability. He just smiled and wouldn’t confirm one way or the other. He gave nothing away but I would bet $100 of my own money that the U.S. already has this capability and has for some time.
The Mythos Impact Minus the FUD
The impact is that, in the near future, the percentage of attack campaigns that use exploit code will start to go up; way past the 20% I quoted before, because the cost just dropped through the floor.
All of this sounds alarming, even FUD-Like, but in reality, the only thing that is significantly changing will be the volume of attack campaigns that use exploit code to compromise victims. It’s not a panic moment. It is a logical progression. Every infosec team of any size already runs some form of vulnerability management. The trick today is to scale those programs using the same technology; to discover new vulnerabilities quickly, and patch them before attackers can exploit them. The appropriate response is to focus on your own vulnerability management program to ensure that it can operate at greater speed and scale.
This generic company already has a process to identify and patch vulnerabilities. The question is whether those processes are fast enough in an environment where attackers may also be accelerating. This is where investments in automation, prioritization, and process efficiency become directly tied to reducing risk.
Last Thoughts
For the past 30 years, cybersecurity improved tactically but fallen short strategically. Security professionals, like me, made a bad assumption in the early days that cybersecurity risk was somehow technical and scary that it was different than all the other business risks. What still surprises me is that nobody called us on it sooner. In hindsight, they should have made us demonstrate how our efforts across the people-process-technology triad improved the risk posture of the business. Three decades later, we are all just now coming to the conclusion that we were wrong.
For the board, everything discussed in this essay reduces to one question: What is the probability of a material cyber event in the next year. Every cybersecurity dollar the board approves should demonstrably reduce the probability of a material loss within a defined time horizon. That’s first principle thinking.
New technologies like Mythos don't change the principle and don't require us to rebuild our programs from scratch. Mythos will make us to refocus our tactics. We will need to change our reaction velocity. If we’ve grounded our cybersecurity strategies in first principles though, they will hold. The adjustment is at the tactical level, operating at greater speeds, and ensuring our defenses keep pace with the evolving threat.
Resources
C. David Hylender, Philippe Langlois, Alex Pinto, Suzanne Widup, 2025. Data Breach Investigations Report [Report]. Verizon Business, URL: https://www.verizon.com/business/resources/reports/2025-dbir-data-breach-investigations-report.pdf
Gadi Evron, Rich Mogull, Robert T. Lee, Jen Easterly, Bruce Schneier, Chris Inglis, Phil Venables, Heather Adkins, Rob Joyce, Sounil Yu, Jim Reavis, Katie Moussouris, John N. Stewart, Maxim Kovalsky, Dave Lewis, Joshua Saxe, John Yeoh, Ramy Houssaini, 2026. The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program [White paper]. Cloud Security Alliance Lab Space, URL: https://labs.cloudsecurityalliance.org/mythos-ciso/
Helen Patton, Rick Howard, Larry Pesce n.d. This Is How They Tell Me the World Ends [Book Review]. Cybersecurity Canon Project. URL https://cybercanon.org/this-is-how-they-tell-me-the-world-ends/
Nicole Perlroth, 2021. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race [Book]. Goodreads. URL https://www.goodreads.com/book/show/49247043-this-is-how-they-tell-me-the-world-ends
Rick Howard, First Principles Consulting [Company Page]. Cybersecurity First Principles, URL: https://cybersecurityfirstprinciples.com/
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book]. Amazon, URL: https://amzn.to/4mI7QMU
Rick Howard, 2023. Research on Why the Heat Maps are Poor Vehicles for Conveying Risk [Book Appendix]. The CyberWire, URL: https://www.n2k.com/cybersecurityfirstprinciplesbook
Staff, 7 April 2026. Project Glasswing [Announcement]. Anthropic, URL: https://www.anthropic.com/project/glasswing
Douglas Hubbard, Richard Seiersen, 2016. How to Measure Anything in Cybersecurity Risk [2018 Cybersecurity Canon Hall of Fame Book].
Canon Review: https://cybercanon.org/how-to-measure-anything-in-cybersecurity-risk/
Goodreads: https://www.goodreads.com/book/show/26518108-how-to-measure-anything-in-cybersecurity-risk
Canon Interview: