Introducing The Cybersecurity Canon: Books You Should Have Read

can·on -  /kanən/ - noun

1. A group of literary works that are generally accepted as representing a field: "the durable canon of American short fiction" (William Styron).

2. A list of writings officially recognized as genuine.

3. The list of works considered to be permanently established as being of the highest quality: “Hopkins was firmly established in the canon of English poetry.”

For the past decade, I have had this notion that there must be a cybersecurity canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. In my new role as Chief Security Officer of Palo Alto Networks, I have to stay visible and well-informed, and make sure I’m an evangelist for the company. To me, these are books no one in our field can do without.

To me, the Canon isn’t purely technical literature and includes both nonfiction and fiction. Books that are how-to-manuals for the inner workings of security protocols, coding practices, standard operating procedures and the like are important, but there are plenty of books in those categories that are covered by the various technical and security certification programs. And unless the book describes some timeless aspect of the community, it doesn’t really meet the definition.

What I am looking for in this list are books that make us human; books that not only tell us how something works but why. The Cybersecurity Canon should include books that explain how we got here and describe the people that drove the community down this path. These books can be novels if they capture the culture correctly and can illustrate and educate the general public about the true nature of cybersecurity. They need to illuminate our timeless thinking on different adversary motivations like crime, hacktivism, espionage and war. They also need to describe realistic hacking techniques and cyber operations.

I’ll be presenting on this topic at RSA 2014 in February, and at that time I’ll discuss my first candidates for inclusion into the Canon. Between now until then, Palo Alto Networks will post my discussions of each of these candidate books so that interested people can preview them before the presentation if they are so inclined and can decide for themselves if they belong in the Canon or not.

Check back later today for the first entry in my series. Perhaps you might like to take exception with my list and offer other books for consideration. I welcome the debate. This should be fun.