Cybersecurity Canon Candidate Book Review: “No More Magic Wands: Transformative Cybersecurity Change for Everyone”

cybersecuity-canon-blog-600x260

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

 

Executive Summary

There are no magic wands for security or any other part of a business. A secure culture stems from top-down support, a business that has a security mindset, leadership that understands risk, and collaboration with others on solutions. That’s the underlying message in George Finney’s book, No More Magic Wands: Transformative Cybersecurity Change for Everyone. Mr. Finney uses a fairy tale metaphor about a magic wand factory to tell the story that’s all too common with businesses today: a security breach and how to address security problems. Through short vignettes found in each chapter, the reader experiences the challenges faced by almost every security department, along with simple methods for overcoming them by leveraging people and process improvements. There are sound recommendations sprinkled throughout that would benefit any security professional.

This short book provides many good ideas that could aid any cybersecurity professional in influencing good practices within their organization. The stories transform the normal tech talk to everyday words aiding those not familiar with the underlying concepts. The chapter summaries, takeaways and questions provide further insights on key technology and security concepts.

This book may not be for everyone. Not all readers will appreciate the story approach explaining technology and security. Some of these stories are difficult to follow, which is where the summary and takeaways provide value. Also, there are metrics sprinkled throughout where an authoritative source would counter any argument. No More Magic Wands is good for new CISOs or security directors, or those looking to someday have that role.

Review

There are no magic wands for security or any other part of a business. A secure culture stems from top-down support, a business that has a security mindset, leadership that understands risk, and collaboration with others on solutions. That’s the underlying message in George Finney’s book, No More Magic Wands: Transformative Cybersecurity Change for Everyone. Mr. Finney uses a fairy tale metaphor about a magic wand factory to tell the story that’s all too common with businesses today: a security breach and how to address security problems. Through short vignettes found in each chapter, the reader experiences the challenges faced by almost every security department, along with simple methods for overcoming them by leveraging people and process improvements. There are sound recommendations sprinkled throughout that would benefit any security professional. This book is, “written for anyone and everyone who wants to make a difference and improve cybersecurity.”

While a fairy tale may seem juvenile to some, it’s a good mechanism for allowing all readers, technical and non-technical alike, to understand the underlying cybersecurity philosophies, concepts and general technologies covered throughout the book. Too often, technologists lose business people in their jargon and thus lose their support for cybersecurity initiatives. The real goal is to enable universal participation for cybersecurity and empower all employees to take initiative towards a more security-aware culture. That’s the theme throughout No More Magic Wands. Mr. Finney provides a means to reach the goal seen in the book’s subtitle: Transformative Cybersecurity Change for Everyone.

The book’s introduction provides the needed background to understand the story told throughout the book: how a magic wand factory was compromised and the steps the company leadership took to ensure it didn’t happen again. The introduction explains the strategic direction needed for any successful cybersecurity program: a culture with a security mindset driven by senior management. At a tactical level, security awareness needs to be a continual process rather than a one-time or annual event. This enables all employees, not just those responsible for cybersecurity, to handle security events. “If we improve our communal awareness of cybersecurity, we can start to develop a kind of collective immunity to cybercrime,” asserts Finney.

The first chapter starts the story by explaining how Honest Evergreen started the Honest Wand Company by producing magic wands for forest folk. It’s a fun way to appreciate how many businesses start: with an idea, a product and a need. Trouble soon finds Honest Evergreen when poor imitations of his wands make their way to the forest. On top of that, his customer lists are leaked, further hurting his company’s reputation. An evil witch, or “magically inclined” person, angry her information was stolen and her identity compromised, confronts Honest. In the ensuing battle, she turns Honest into a statue and destroys all the magic wands except for the one in Honest’s hand. The ensuing story is about the journey of Harmony Evergreen, Honest’s daughter, in determining the cause of the breach, resurrecting her company’s reputation, and solving their security problems through collaboration, teamwork, and leadership.

The fifteen stories throughout the book each provide a viewpoint into the creation and management of a cybersecurity program driven by an engaged executive. It chronicles Harmony’s journey, which is often fraught with peril, common in any fairy tale or real-world scenario. Harmony enlists the aid of characters like Mr. Groundhog (of course, associated with going back in time to correct wrongs), an old porcupine with extensive management experience to aid her in leading corporate change, an astronaut who explains computer networking and firewalls in cyberspace, an origami man who can become anyone to simulate a social engineering attack, a pig well-versed in risk management and cybersecurity practices, and a blind racoon who sees by using his vast experience. These characters, along with many others, provide an allegory that teaches many different aspects of cybersecurity.

Each chapter covers a different theme based on these characters to provide not only security issues but also simple ways to solve them based on sound security management practices. The themes, told in story form include phishing by a silver-stealing fox disguised as a cat, giant ogres who intercept unencrypted email, the origami man performing penetration testing, squirrels hunting for nuts to show the need for the identification of company crown jewels and asset management, the racoon demonstrating how to use incentives to encourage the right employee behavior, a jackalope who teaches discretion, and an owl doctor who explains the importance of being in a security community.

Throughout the book, we are shown Harmony’s notes of lessons learned, such as, “Leaders take responsibility for their security through leadership by example,” “Don’t use fear to motivate change,” “Security is everybody’s job,” “Separate critical responsibilities,” “Least privilege,” and the five parts of a company’s cybersecurity immune system. These aid the reader in understanding underlying security concepts. The stories take these from the theoretical to the practical and show how they can be applied in any business.

Each chapter contains a summary, takeaways, and questions after the story. These are not part of the story and provide the reader with a real-world explanation of the concepts covered in the chapter. Each has valuable nuggets of information provided by Mr. Finney, an experienced chief information security officer in running a security program. The takeaways are high-level concepts that should be considered by any CISO. While the questions seem to be more academic, they are good for any cybersecurity professional to ensure his or her program is on the right track. In reviewing the book, I often jump right to these as a quick reminder of the concepts covered in the stories.

Throughout No More Magic Wands, the author presents an interesting premise: that we need hackers in order to improve our security as, “Most people won’t listen until after they’ve lost their ‘crown jewels.’” Research suggests that our strongest memories are of stressful or negative situations, and security is often in the middle of these situations but must maintain a positive countenance to solve the issues. The organization’s security group may need to use techniques such as penetration testing, phishing, and social engineering to simulate breaches and use the results as teaching opportunities. Additionally, by using stories like the ones in No More Magic Wands or case studies applicable to the business, security can make the case for improving practices.

Mr. Finney concludes the book with an afterward. For me, this seems like an extension of the introduction. Before reading the story portion of the book, readers may want to jump right to this section to further understand critical cybersecurity concepts covered throughout the book. Mr. Finney provides nine habits to enable an organization-wide culture of security: Literacy, Skepticism, Vigilance, Secrecy, Hygiene, Federation, Diligence, Mirroring, and Deception. Each of these builds on the others, forming a layer of a security shield that professionals can use to protect themselves, their organization, and their community. These provide additional food for thought that increases the value of the book.

There are a few items that makes this book a niche read and keeps it from the must-have list for cybersecurity professionals. First, many of the chapter stories can be hard to follow, especially if you’re not familiar with allegories, and it can be difficult to understand the theme until the very end. The chapter summaries and take-aways help solve this. If you’re having difficulty with the story, you may want to skip to the end for these sections and then go back to read the story. Second, there are some facts presented that could use a reference. For example, the author often uses the statistic that “eighty percent of all theft comes from the inside” without stating the source. Tying back to authoritative sources helps validate the information. There are also some errors and typos that should have been caught in the editing process.

Lastly, the author often uses absolutes to press for greater cybersecurity within an organization that are great in theory but are very hard in practice, for example, that every employee in an organization needs to have all of the right security tools and information in order to adequately secure an organization. This would lead to information overload and could detract from the employee’s normal duties. Instead, it should be embedded as part of their practice with just-in-time information and tools provided to the employee. Even if you don’t agree with all the author’s ideas, this book will get you to think about them and help you to develop your own style that fits your organization.

 

Conclusion

In No More Magic Wands, George Finney makes cybersecurity approachable and easy to understand, especially for those who are new or not well-versed in its underlying concepts. He appreciates that technology can be intimidating and developed case studies throughout the book to help the average reader appreciate how small changes over time can lead to large results to prevent, avoid, or mitigate a security breach.

While I enjoyed the stories and appreciate the many concepts Mr. Finney presents in a small package, I don’t feel this book is for everyone in technology or cybersecurity. I recommend this book to those who are looking to become better storytellers as part of their cybersecurity journey or who need a way to present technical concepts to a lay audience. The storybook format may not be to everyone’s taste, and some of the stories were hard to understand without rereading multiple times. There are also the issues outlined above that could be distracting for experienced cybersecurity professionals. No More Magic Wands should be included in the Cybersecurity Canon, and considered for the Hall of Fame.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.


© 2018 Palo Alto Networks, Inc. All rights reserved.