Cybersecurity is often perceived as a labyrinth of technical jargon, intricate systems, and challenging threats. This perception can create barriers for organizations attempting to understand and manage their cyber risks effectively. When I envisioned the Cybersecurity Compass, my goal was to demystify these complexities, offering a tool that could be understood by non-technical stakeholders while also serving as a strategic framework for cybersecurity professionals.

Throughout my career as a university professor, I’ve always sought ways to explain complex concepts in simpler, more digestible forms. This passion for making the intricate understandable led me to embrace the Feynman Technique — a method that simplifies complex ideas by breaking them down into their most basic, understandable parts. The Cybersecurity Compass is a direct result of this approach. It’s a strategic tool that not only guides cybersecurity experts but also makes the subject accessible to everyone, regardless of their technical background.

This approach is rooted in the belief that complexity is the worst enemy of cybersecurity, a concept famously articulated by security expert Bruce Schneier in 1999. As systems become more complex, they introduce more points of failure, more vulnerabilities, and greater challenges in maintaining effective security. Complexity creates confusion and opens the door to errors, making it harder to secure systems and implement strategies effectively.

The Cybersecurity Compass, by focusing on three core stages — before, during, and after a breach — embodies the principle of simplicity that I advocate. It provides a clear, manageable framework that helps organizations navigate the complexities of cybersecurity without getting lost in unnecessary details. This structured approach not only enhances understanding but also strengthens the overall security posture by reducing the risks associated with complexity.

In this article, I will explore how the Cybersecurity Compass aligns with the principles of the Feynman Technique, demonstrating how both tools can be used to break down the complexities of cybersecurity into actionable, understandable steps. By embracing simplicity, we can make cybersecurity more accessible, more effective, and ultimately more secure.

Understanding the Feynman Technique

Richard Feynman was not just an American physicist; he was a key figure in one of the most significant scientific endeavors of the 20th century — the Manhattan Project, which developed the atomic bomb during World War II. His groundbreaking work in quantum electrodynamics later earned him the Nobel Prize in Physics in 1965. But what truly set Feynman apart was his ability to make the complex simple. Despite his extraordinary achievements, Feynman believed that his success was rooted not in innate genius but in hard work and a relentless pursuit of understanding.

Feynman famously stated, “I was an ordinary person who studied hard, there’s no miracle people. There’s no talent or special miracle to study quantum mechanics that comes without practice and reading and learning and studying.” This belief in the power of straightforward, diligent learning led to the development of what is now known as the Feynman Technique. At its core, this technique is based on the principle that you only truly understand something when you can explain it clearly and simply, as if to someone with no prior knowledge of the subject. Feynman’s approach strips away unnecessary jargon and complexity, forcing you to confront what you do and don’t know, making it easier to fill in the gaps in your understanding.

The Five Steps of the Feynman Technique

1. Choose a Concept: Start by selecting the concept you want to master. You can choose any topic or idea, whether it’s related to cybersecurity, a different field, or even an everyday concept you want to understand better.

2. Teach the Concept: Now, imagine you’re teaching this concept to yourself or someone else — perhaps a child or a person completely unfamiliar with the topic. The key is to use simple, everyday language. Avoid jargon or complex terms; instead, explain the idea as if you were telling a story. This step forces you to distill the concept down to its most basic components.

3. Find Gaps: As you explain, pay close attention to any areas where you struggle or hesitate. These are indicators of gaps in your understanding. Perhaps there’s a detail that doesn’t quite make sense or a part of the concept that you can’t explain as clearly as you’d like. These weaknesses are opportunities for further learning.

4. Clarify: After pinpointing these weaknesses, return to your source material — whether it’s textbooks, articles, or other resources — and study those areas more deeply. The goal is to clarify your explanation until you can articulate the concept smoothly and with confidence. This iterative process helps to solidify your understanding.

5. Create a Story: Once you’ve clarified your understanding, make your explanation more engaging by adding analogies, visual aids, or diagrams. Weaving these elements into your explanation not only solidifies your knowledge but also makes it easier to communicate the concept to others in a way that is both informative and entertaining.

The Power of Three with the Cybersecurity Compass

When simplifying complex concepts, I always aim to break down the information into three key points or steps. There’s a reason why I consistently choose the number three: it’s simply easier to remember and process.

The human brain is naturally inclined to recognize patterns, and three is the smallest number that forms a complete, memorable pattern. This is why we often encounter things grouped in threes across various forms of communication, from literature to advertising, and even in teaching methods. Phrases like “mind, body, and spirit,” or “past, present, and future” stick with us because they follow this rule of three. Similarly, the Cybersecurity Compass is structured around the phases of “before, during, and after a breach” to provide a clear, intuitive framework for understanding and managing cybersecurity risks. These three stages capture the full lifecycle of a cybersecurity incident, making it easier for organizations to remember and implement effective strategies.

However, the Cybersecurity Compass goes beyond simply breaking down the process into three stages. These stages — before, during, and after a breach — are interconnected and form a continuous cycle. This interconnected design reflects the reality that cybersecurity is a never-ending process, driven by the constant evolution of both the business landscape and the threat environment. Businesses are always moving forward, innovating, and adapting at a rapid pace, while attackers are simultaneously evolving their tactics, looking for new ways to exploit vulnerabilities. One evolves for the better, while the other evolves for the worse.

For me, reducing a concept to three main points ensures that the information is not only easier for others to understand, but also more likely to be retained and recalled later. This simplicity helps ensure that the key ideas are not overwhelmed by unnecessary details. It also makes the concept feel more approachable, which is especially important when teaching or explaining something unfamiliar to others.

This principle is precisely why, when I created the Cybersecurity Compass, I structured it around three key concepts in three concentric rings. This design reflects my belief in the power of threes to simplify and clarify complex ideas. The concentric rings help to visually and conceptually organize these ideas, emphasizing the continuity and never-ending nature of cybersecurity. The Cybersecurity Compass thus becomes not just a strategic tool, but also an easy-to-understand guide that both experts and non-technical stakeholders can use to navigate the complexities of cybersecurity in a rapidly changing world.

The Cybersecurity Compass: A Strategic Overview

The Cybersecurity Compass is more than just a metaphor; it is a strategic framework that guides organizations through different stages of cybersecurity management. The compass is divided into three main areas: Cyber Risk Management, Detection and Response, and Cyber Resilience. These areas are designed to help organizations navigate the various phases of a cybersecurity event, from preparing and preventing incidents to responding effectively during a breach and recovering afterward.

• Cyber Risk Management (Before a Breach): This section focuses on proactive and predictive measures. It includes strategies for identifying potential threats, assessing cyber risks, and implementing controls to mitigate those risks before they can result in a breach.

• Detection and Response (During a Breach): This area addresses the reactive and defensive measures that need to be in place during an incident. It covers the detection of threats and the immediate response required to contain and mitigate the impact of a breach.

• Cyber Resilience (After a Breach): After a cybersecurity incident, the focus shifts to recovery and improvement. This area emphasizes the importance of learning from incidents, improving defenses, and ensuring that the organization can quickly return to normal operations.

These three areas are interconnected, representing a continuous cycle of improvement that enhances an organization’s overall security posture. The compass visually aligns these processes, making it easier for organizations to understand their current position and what actions need to be taken next.

Applying the Feynman Technique: Simplifying the Compass

Here’s how this technique can be applied to explain the Cybersecurity Compass:

• Cyber Risk Management: Imagine this as preparing for a journey. Before you set out, you map out your route, check the weather, and ensure your vehicle is in good condition. In cybersecurity, this means identifying potential threats and putting measures in place to avoid or mitigate those risks. It’s about being proactive — like packing an umbrella if you think it might rain.

• Detection and Response: This is like being on your journey and encountering a storm. You need to quickly recognize the danger (detection) and take immediate action (response), such as finding shelter or adjusting your route. In cybersecurity, this involves monitoring for threats and reacting swiftly to minimize damage when an incident occurs.

• Cyber Resilience: After the storm has passed, you assess the situation — perhaps your car needs repairs, or you need to find a new route. This is analogous to the recovery phase in cybersecurity, where the focus is on restoring operations and learning from the incident to improve future resilience.

By using the Feynman Technique, each component of the Cybersecurity Compass can be broken down into relatable, everyday terms, making the complex field of cybersecurity easier to understand and more accessible.

Guiding Organizations Through Complexity

The Cybersecurity Compass, combined with the Feynman Technique, offers a powerful framework for both understanding and managing cybersecurity. By simplifying complex concepts into clear, actionable steps, organizations can ensure that all stakeholders — from executives to frontline employees — are equipped to navigate the challenges of cybersecurity. This approach fosters a culture of continuous improvement and proactive risk management, ultimately leading to stronger, more resilient cybersecurity practices.