TK Keanini, CTO, DNSFilter.
We all know many geniuses, but how many effectively communicate their ideas and concepts to others? Not many. However, Albert Einstein could—as shown by his famous speeches and writings.
I recently revisited some famous quotes commonly attributed to Albert Einstein and found that several apply to what makes a cybersecurity defensive strategy effective.
When forming a cybersecurity strategy, it is easy to become overwhelmed or have inherited something overly complex and simply impossible to operationalize. I recently considered what it would be like to have Albert Einstein as my chief information security officer (CISO).
I thought about how he would have protected my organization and customers, using some of his famous wisdom (even if a few ideas turned out to be from some other great thinkers).
“We cannot solve our problems with the same thinking we used when we created them.”
As demonstrated by this quote, he certainly was a proponent of using creativity and thinking outside the box.
For the last 30-plus years, I’ve said that cybersecurity is a game of innovation. I also think of another famous Einstein quote: “Imagination is more important than knowledge.” This explains why a 15-year-old can be as effective as a nation-state actor when it comes to compromising a Fortune 500 organization.
Attackers constantly evolve their tactics, so defenders must innovate rather than rely on outdated security models. Zero trust, AI-driven defense and proactive threat hunting are essential for staying ahead. Sit still long enough, and you will be compromised.
Threat actors are always thinking outside the box—defenders must do the same. Creative threat hunting, anomaly detection and adversary emulation can uncover threats that traditional tools miss.
“Intellectuals solve problems; geniuses prevent them.”
It’s a little unclear whether Einstein said this verbatim, but there’s still an important lesson for cyber defenders: While it’s crucial to have skilled professionals who can respond to cyberattacks, it’s even more critical to prevent them.
Proactive security will always be more effective than reactive defense. A strong risk assessment, robust security architecture and preventive controls like DNS filtering, multifactor authentication and network segmentation help mitigate threats before they become incidents.
“If you can’t explain it simply, you don’t understand it well enough.”
As pointed out in another one of his most famous—although disputed—quotes, you only understand something if you can explain it clearly: Effective security policies won’t do much good unless they are communicated to employees, leadership and customers.
Complex security practices must be distilled into actionable training and policies. I am not saying this is easy; what I am saying is that it’s worth putting in the time to ensure that nothing is too complicated to understand. I always feel that it is my fault that people don’t know what I am trying to communicate, not theirs, so I work to simplify it.
Respect the complexity enough to remove it from your communication. Complexity is, in itself, a weakness in this context.
“Not everything that can be counted counts, and not everything that counts can be counted.”
Frequently misattributed to Einstein, this quote actually comes from sociologist William Bruce Cameron—but the sentiment holds.
Cybersecurity metrics must go beyond just incident counts or security operations center alerts. Organizations should focus on risk reduction, attack surface management and threat modeling rather than just numbers. What you measure will also drive human behavior, so think through this carefully, as you will want the right behavior to win over the wrong or unexpected behaviors.
Two things will help here in your program:
1. Ensure that what is being counted is semantically stable. For instance, 42 (or whatever number) of what? If your community (i.e., the organization being protected or a specific market sector) does not understand what is being counted in the same manner, 42 or 4,422 will not matter.
2. Filter all the data science down to what questions are being asked and by whom. When looking at a graph or chart, can you explain what it is addressing and how it applies to your role? For example, are we operating within budget this quarter? Is there a time of day when I am most vulnerable?
Both of these techniques will help you pick the cybersecurity metrics that matter most to you and your organization.
“In the middle of difficulty lies opportunity.”
American physicist John Archibald Wheeler allegedly used this phrase to describe how Einstein worked, and it certainly applies to cybersecurity.
Every breach or attack is a learning opportunity. Post-mortems and incident response retrospectives help organizations strengthen their defenses. Organizations should embrace red teaming, bug bounty programs, ethical hacking and AI-driven security tools to stay ahead of attackers.
Final Thoughts
These pieces of wisdom emphasize innovation, adaptability, prevention and clarity, which align perfectly with modern cybersecurity strategies. Whether applying zero trust principles, AI-driven defense or industry frameworks, these principles remain timeless.
In the same way that zero trust principles were built on the “least privilege” tenet, we must ensure that all of our practices tie back to solid foundational principles and filter out those that are weak or redundant. If we don’t, we will be left with strategies that are too complex and expensive to operate—and will ultimately fall victim to the threat actor with a superior strategy.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
