• United States




Introducing the Cybersecurity Canon

Apr 03, 20173 mins

If you need to know what information security books to read, who you gonna call? The Cybersecurity Canon.

If knowledge is power, one of the more effective ways to get that power of knowledge is via reading books. When it comes to information security, one would have to spend many hours per day to keep up with the vast amount of written material that is constantly coming out. So what is a security professional to do?

Last month David Bisson wrote a blog post 10 Must-Read Books for Information Security Professionals, where he asked information security professionals their must-read book. There’s a number of books listed there that are definitely worth a read.

For those that want more, there’s the Cybersecurity Canon project, of which I’m a member. Canon members include industry experts such as Christina Ayiotis, co-chair of the Georgetown Cybersecurity Law Institute, Dawn-Marie Hutchinson of Optiv, Brian Kelly CISO at Quinnipiac University and more.

The project was started in 2014 by Rick Howard, CISO of Palo Alto Networks. The members of the Canon identify lists of must-read books for cybersecurity professionals or those looking to get a foothold into the security industry.

The list of books in the Canon, and those that are candidates for entry include both non-fiction and (to my chagrin) fiction book. So what does it take for a book to make it into the Canon? First off, it should not necessarily be directly tied to a specific technology or product. While a book on Windows Server 2016 security or how to configure and use Wireshark 2.2.6 are certainly worthy reads, these are not the types of books meant for the Canon.

Canon-worthy books include those that focus on the core aspects of information security, are forward thinking, original and insightful. They also should stand the test of time; meaning that they should be relevant for a number of years.

Some examples of books in the Canon include: Tallinn Manual on the International Law Applicable to Cyber Warfare, The CERT Guide To Insider Threats, and my favorite Measuring and Managing Information Risk: A FAIR Approach.

If you know of a book you think is a candidate for the Canon, you are invited to nominate it for entry. With that, the nomination process is meant for serious entries. Every PR person wants their client’s book to be a candidate and due to that, the Canon committee would be flooded with every book under the sun. To obviate that, in order to nominate a book for the candidate list, it must be done via a book review.

The benefit to the Canon of a full book review is that it demonstrates to the committee that the person submitting the book is serious about it and feels strongly enough about it to take the time to write a review. Note that the review does not have to be colossal, as a review of a few hundred words will suffice. There’s plenty of good books out there to be read, so submit as many nominations as your time permits.

For more information or if you want to contact the Canon, check out the Canon FAQ. Looking forward to your review.

What do you think? Add your comments over on Facebook.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.