cybersecurity canon

‘Cybersecurity Canon’ Aims to Secure Good Reads

For anyone seeking to broaden their understanding of cybersecurity or to get up to speed quickly on what cybersecurity really is and how it could affect their organization, a book is probably the best place to start. But faced with over 2,300 choices for sale on Inc., the question is which one?

The Cybersecurity Canon project is seeking to answer that question. It’s a collection of cybersecurity-focused books that aims to educate readers on the constantly-changing world of digital risks, adversaries, technologies, methodologies and business issues.

“What I love about this job is there’s always something new and exciting to learn, but the problem is you can hardly ever keep up with it,” said Rick Howard, chief security officer at the security vendor Palo Alto Networks Inc. and founder of the Cybersecurity Canon. “About five years ago I took a book off the shelf I knew I had read, but couldn’t remember a damn thing about it.”

It was in that moment Mr. Howard decided to take action.

Mr. Howard decided to re-read what he considered the most important security books in his library and wrote reviews for each. He then shared his shortlist of works with other industry leaders at the conference held by RSA Security LLC in San Francisco, the largest industry event of the year, and the Canon was born.

Mr. Howard said he modeled the idea on a literary canon, or a body of works considered to be most important to capturing a particular time period or place.

Rock & Roll Hall of Fame

“We created a Rock & Roll Hall of Fame for cybersecurity books,” said Mr. Howard, adding that a committee of experts reads and reviews each book shortlisted and recommends which should be included in the final list.

Books must fit the project’s criteria: the subject matter can’t be quickly outdated, the book must accurately represent an aspect of the community and the writing must be of the highest quality. Mr. Howard puts it simply: “If you don’t read these books there will be a hole in your cybersecurity educational background.”

Mr. Howard highlighted “The Cuckoo’s Egg,” as a great example. The 1989 work by Clifford Stoll is a first-person account of an investigation Mr. Stoll and his colleagues prosecuted following hacking attacks against Lawrence Berkeley National Laboratory and other government systems in 1986. The investigation led authorities to Markus Hess, a German hacker who had sold the information he stole to Russian intelligence services.

“The lessons learned from that book are still pertinent today,” said Mr. Howard.

The Cybersecurity Canon committee is in the middle of their reading season now, which runs between June and December each year, with two or three books inducted into the Hall of Fame annually. Voting is currently underway for the “People’s Choice” award. The 32 candidate books are being narrowed down throughout October to coincide with Cybersecurity Awareness Month. The winner will be announced on October 31st.

Perhaps unsurprisingly, most of the books on the candidate list are from English speaking authors, but this season’s line-up includes a Japanese work for the first time. “Cybersecurity for Business Executives,” originally written in Japanese by senior managers at global telecoms company NTT Group, reflects the nuances of cybersecurity in the Japanese culture and business environment, which differs in some ways from how western companies approach the issue. The book is available as a free download here.

So where should executives with limited experience of cybersecurity start? Mr. Howard recommends “Navigating the Digital Age,” a collection of articles written by C-Suite business leaders and subject matter experts specifically for executives and board members. The e-book, customized for different regions of the world, is also available as a free download here.

Reading about cybersecurity is certainly no substitute for practical experience, but will give the reader a breadth of understanding they could not possibly otherwise obtain.

The above article first appeared in the “WSJ Pro Cybersecurity” newsletter. Used by permission. Please visit for more information.