There are just over 490 cyber security books listed on Amazon in the computers and technology section.
Some are keepers. No doubt some of them — probably technical texts — are collecting dust on the bookshelves of infosec pros. But how many are really worth reading?
At least 13, according to a group of infosec pros compiling a list of titles called the Cybersecurity Canon, books that every information security professional should read — including fiction
Today eight were added: “Cyber War,” by Richard Clarke and Robert Knake; “Future Crimes” by Marc Goodman; “@War: The Rise of the Military-Internet Complex” by Shane Harris; “Tallinn Manual on the International Law Applied to Cyber Warfare,” edited by Michael Schmitt; “The CERT Guide to Insider Threats,” by Dawn Cappelli, Andrew Moore and Randall Trzeciak; “Measuring and Managing Information Risk: A FAIR Approach” by Jack Freund and Jack Jones; “Kingpin” by Kevin Poulsen; and “Zero Day,” a novel by Mark Russinovich.
There are five in the canon so far: “We Are Anonymous”, by Parmy Olson, the first winner in 2014. Five more were added last year: “Spam Nation” by Brian Krebs; “The Cuckoo’s Egg” by Clifford Stoll; “Winning as a CISO” by Rich Baich; and “Countdown to Zero Day” by Kim Zetter.
The idea of the list came from Palo Alto Networks CSO Rick Howard, an avid reader. With the backing of his firm the contest was created two years ago, with the public encouraged to nominate and vote on titles. A committee of 10 infosec pros makes the final choices with the winners announced at the company’s annual Ignite user conference.
A bit of an author as co-executive editor to two books: “Cyber Fraud: Tactics, Techniques and Procedures” and “Cyber Security Essentials.” Howard has worked for several cybersecurity companies, serviced in the U.S. army for 23 years, two years of which he ran the Army’s computer emergency response team (CERT). He holds an engineering degree from the U.S. Military Academy and Master’s of Computer Science from the Naval Postgraduate School.
I interviewed Howard shortly before the contest closed to ask why he set up the contest.
“One of the things I love about my job is it changes all the time,” he said over the phone. “The thing I hate about my job is it changes all the time — you’re always reading everything you can just to stay current with whatever’s going on. So like a lot of my peers I have a bunch of books in my basement on a shelf that I’ve read or sort of read and that I should have read by now.
“I was down there about two and a half years ago and I was feeling pretty superior because I had read some of these things and many of my peers had not, and I pulled a couple off the shelf and thought ‘ You know, I don’t remember a damn thing that was in this book — I remember reading it but I don’t remember anything that was in it.
“So as a personal project I started re-reading some of the ones I thought were more important. started taking some notes so I could remember this time what was in the book, and that turned into book reviews that I put on a personal blog page. I collected about 25 of them and went to the RSA Conference (in 2014) and presented them as books everybody should have read by now.”
Paolo Alto Networks liked the idea and decided to decided to sponsor the list as a contest. The goal, according to the site is “to identify a list of must-read books for all cybersecurity practitioners where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.”
For example, Howard said, a person who reads read this year’s three nominated books in cybercrime and Brian Krebs’ book “would know pretty everything there is to know about cybercrime works and how to protect yourself.”
There are three broad categories — non-fiction, technical and fiction — and seven sub-categories (Cyber History and Culture, Cyber Crime, Cyber Espionage, Cyber Hacktivism, Cyber War, Novels and Technical).
This year 36 books were nominated. And while the two finalists are fiction, Howard admits the nominating committee has reservations about whether there should be a fiction category at all.
Nominated books don’t have to published in the contest year. For example, one of the finalists, Cryptonomicon, was published in 1999. A personal favourite of Howard’s, it runs from World War II to the dot-com era of the late 1990s. “You have to commit to it because it’s a thousand pages” and includes a treasure hunt, code breaking, commando raids and three love stories.
His all-time favourite is Stoll’s 1989 autobiography, The Cuckcoo’s Egg. Stoll was an astronomer at the University of California at Berkley in the 1980s, “a lefty-liberal extraordinaire… he doesn’t want anything to do with the government he makes his own clothes, grows his own food, long hair — he looks like the doctor in Back to the Future movies.” Temporarily hired to running a Unix lab for a year, he’s asked to fix a 75-cent accounting error in the student billing system for computing time.
“That error was the first ever cyber-espionage campaign,” Howard says, “run by East German mercenaries funded by the Russians, using U.S. university systems as a gateway into the military systems.”
“It reads like a Tom Clancy novel — and there’s a love story and even a chocolate chip recipe.”
The most recently-published non fiction books he likes is “Measuring and Managing Information Risk, one of this year’s winners. 
“In my field most people are not math people and don’t understand risk with any kind of precision. They think in terms of high, medium and low risk to a company. These guys provide the methodology for how to measure risk for any thing you are worried about. So when you get challenged by your leadership about how important this is compared to something else, you have the math behind it … I think it’s the way forward for cybersecurity professionals.”
Another non-fiction book he’s high on is one of last year’s winners, “Winning as a CISO,” (2005) , which advises being able to speak to business leaders in terms they understand, having a marketing department that advertises the security services that can be offered to business units, and delivering products to management that they can use to make decisions.
Most of the CISOs –like himself — came up through the technical ranks, Howard says. “We suck at being able to talk to business leaders about what’s going on with the business. What is changing, I think, is that in the next 10 years CISOs will have business degrees first, and just be proficient in technology.”
Which leads me to ask if — as the title suggests — CISOs can win in an era where attackers seem to be able to penetrate defences at whim. “Absolutely …I think the way we think about risk to the business is pretty immature these days, and books like Rich Baich’s will help figure that out. There’s another book on the candidate list called “Navigating the Digital Age” — and full disclosure we organized that book with the New York Stock Exchange to give boards members something to read on cybersecurity — and books like that will help them get there.”
