The Cybersecurity Ballot

Meet the Perennial Candidates

We’ve spent three decades refining tactics but we still haven’t agreed on the fundamental rule that governs all of it.

I’ve been thinking about first principles and what might be the cybersecurity first principle for over a decade. Three years ago, I even published a book about the topic.

Cybersecurity First Principles

Since then, I’ve been tightening my thinking. I haven’t changed my mind on the core concepts of the book. I’ve just gotten better at explaining them. To that end, I’ve published two essays refining my ideas:

• First Principle Thinking

• Prior Research on Cybersecurity First Principles

I’m slowly working my way towards discussing what I think the absolute cybersecurity first principle is. But before I get there, it’s worth examining the best-practice strategies most of us have relied on for the past 30 years. These are the leading candidates for the title. They deserve scrutiny before any final claim is made.

The Candidate List

When I ask security professionals what they think is the atomic cybersecurity first principle, they usually respond with one or more items in a set of traditional cybersecurity best practices. Things like

• The CIA Triad

• Vulnerability Management

• Malware Prevention

• Incident Response

• Frameworks

• Compliance

But according to Caroline Wong, author of the Cybersecurity Canon Hall of Fame book Security Metrics: A Beginner’s Guide, the phrase “best practice” is misapplied by most network defenders.

A best practice should refer to an approach or methodology that is understood to be more effective at delivering a particular outcome than any other technique when applied in a particular situation.

She says that many accepted cybersecurity best practices, although good ideas, have not delivered on those outcomes.

I concur with Caroline. In my own career, I’ve built information security programs around these same best practices too. But after 30 years in the field, I have to admit something: I can’t say with any confidence that one best practice is substantially better than some other one. The general theme to all of them is that they all contribute value. But none of them, by themselves, are sufficient as the foundational principle on which to build an entire infosec program. Let’s take each one in turn.

The CIA Triad

The CIA acronym stands for Confidentiality, Integrity, and Availability and the CIA Triad is a general-purpose defensive model intended to apply across all contexts and threat types. But it says nothing about how adversaries actually operate. It doesn’t account for adversary tactics, techniques, or procedures. It doesn’t incorporate the behavior of the roughly 500 adversary campaigns active on the internet at any given time. If a strategy ignores how real attackers behave, how can it be the atomic first principle? The CIA Triad is not bad per se; it’s just not complete.

One thing to note: As of this writing, I estimate that the actual number of active adversary campaigns is between 250 and 700 depending on who is counting. I use the Tydal Cyber platform and the MITRE ATT&CK Framework to get my range (Links in the Resource Section below).

Also, last year, I wrote a three-part series that explores the history, limitations, and potential replacements for the CIA Triad (Links in the Resource Section below).

Vulnerability Management

Vulnerability Management is similar. First, it’s a never-ending task. “I’ve patched all of our vulnerabilities” said nobody ever. More importantly, exploitation of vulnerabilities isn’t the biggest problem infosec practitioners face. The 2025 Verizon Data Breach Investigations Report (DBIR) notes that hackers use vulnerability exploitation as an initial access vector only 20% of the time. If patching is your first principle, what about the other 80% of attacks?

Preventing Malware

The equivalent argument applies to Preventing Malware. The same DBIR says hackers deploy malware in only 45% of breaches. If anti-malware is your first principle, what are you doing about the other 55% of attacks?

Incident Response

Incident response as a formal discipline emerged in the late 1980s. You could argue that Cliff Stoll pioneered the practical model when he tracked East German hackers working on behalf of Soviet intelligence; a story he documented in the Cybersecurity Canon Hall of Fame book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. But sometime in the 2010s, the infosec community started to pursue the idea that cyber defense is too hard and therefore should be abandoned in favor of incident response; abandon prevention mechanisms in favor of early detection mechanisms and efficient eradication systems. It turns out that this is also too hard to do mostly because it’s expensive. Small-to-medium-sized organizations can’t really afford to do it so they don’t. A true first principle must be universally applicable and not reserved for those with the largest budgets.

Frameworks

It’s tough to find a hard number, but there are likely dozens of cybersecurity frameworks globally; maybe as high as 50, depending on how you define “framework.” The number varies because there are many different kinds:

• Governance Frameworks: Like ISACA’s COBIT; Control Objectives for Information and Related Technologies.

• Control Catalogs: Like the NIST Special Publication 800-53 (Revision 5): Security and Privacy Controls for Information Systems and Organizations.

• Maturity Models: Like the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC).

• Regulatory Schemas: Like the European Union’s General Data Protection Regulation (GDPR).

• Sector-Specific Standards: Like the North American Electric Reliability Corporation’s NERC Critical Infrastructure Protection Standards (NERC CIP)

• Regional Data Protection Regimes: Like the California Consumer Privacy Act (CCPA).

• Tickets to Ride (Compliance to gain access): Like the U.S. General Services Administration (GSA) Federal Risk and Authorization Management Program (FedRAMP).

From the very beginning, many security practitioners understood compliance regulations for what they are: attempts to establish baseline parameters of security and privacy programs. These same security practitioners view them as necessary evils to prevent fines (GDPR, for example) or as the price of doing business (FEDRAMP, for example). But they don’t view them as essential to protecting their organizations on the Internet. You have to follow them because they are requirements for some business need, but most don’t consider them fundamental to their security program and therefore can’t be the basis for any cybersecurity first principle program. Besides, for some organizations, it’s just easier to pay fines if they get caught as a cost of doing business. That doesn’t seem like a cybersecurity first principle.

Takeaway

The uncomfortable truth is this: cybersecurity doesn’t suffer from a lack of tools. It suffers from a lack of clarity. We keep refining mechanisms without agreeing on purpose. If these traditional best practices aren’t first principles, then we’ve been building programs on secondary assumptions for 30 years. That has consequences.

A first principle must be universal, irreducible, and explanatory. None of these candidates meet that bar. They are useful. They are necessary. But they are derivative.

So the real question isn’t which best practice should win the election. The real question is: what is the governing law of cybersecurity?

That’s where we go next.

References

Caroline Wong, 2011. Security Metrics, A Beginner’s Guide [Cybersecurity Canon Hall of Fame Book].

• Goodreads URL https://www.goodreads.com/book/show/13654596-security-metrics-a-beginner-s-guide

• Canon Review: https://cybercanon.org/security-metrics-a-beginners-guide/

• Amazon Link: https://amzn.to/47FT1FA

Rick Howard, 2025. Part I: Is the CIA Triad Dead?: Why has the CIA Triad Endured? [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/is-the-cia-triad-dead

Rick Howard, 2025. Part II: Is the CIA Triad Dead? [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/is-the-cia-triad-dead-63c

Rick Howard, 2025. Part III: Is the CIA Triad Dead? [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/part-iii-is-the-cia-triad-dead

Rick Howard, 2026. First Principle Thinking [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/first-principle-thinking

Rick Howard, 2026. Prior Research on Cybersecurity First Principles [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/prior-research-on-cybersecurity-first

Staff, n.d. Tidal Cyber [Dashboard]. Community Edition. URL https://app.tidalcyber.com/

Staff, n.d. MITRE ATT&CK Framework [Wiki]. Mitre. URL https://attack.mitre.org/