There are many ways for IT professionals to broaden their knowledge of information security. Attending infosec conferences, for instance, provides personnel with an opportunity to complete in-person trainings and network with like-minded individuals. Outside of industry events, analysts can pick up a book that explores a specific topic of information security.
Security professionals can gain a lot from reading about IT security. But not all books offer the same depth of knowledge and insight. Which begs the question: which books offer the most to information security personnel?
We asked industry thought leaders to share their favorite books that changed the way they think about information security. Here’s what they had to say.
Maribeth Pusieski | @
Don’t read The Phoenix Project for great literature, witty dialogue, and well-crafted characters. Instead, read this book for an easy yet informative introduction to why well-run IT departments are gaining a competitive edge.
In the form of a fiction novel that uses Bill, the IT ‘good guy’, to narrate, the book introduces us to his company’s broken mission-critical business project. IT changes are having a devastating ‘butterfly effect’ on corporate success, leaving Bill with very little time to discover the cause and find a way to save the day.
Fortunately, the expert authors not only share how the company got into such disarray, but it also provides solid business practices such as the ERM ‘coso cube’ and ‘The Three Ways’ to bring Bill and his company to a happily-ever-after ending.
Dwayne Melancon | @ThatDwayne
- Offensive Countermeasures: The Art of Active Defense by John Strand and Paul Asadoorian
- I took a class from the authors at BlackHat, and it changed how I thought about security. The book covers how to create “vexing” security approaches that engage attackers in a time-wasting and misleading way. The focus is on a couple of techniques and countermeasures that mislead attackers, causing them to fail and generally wasting their time so your become an unprofitable target.
- The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations by Gene Kim, Jez Humble, Patrick Debois, and John Willis
- You might wonder why a DevOps book is on a security list. This book is about the holistic approach that is required to securely implement and leverage the power of DevOps. It touches on security and testing strategies, organizational structures and alignment, and how to implement controls that pay off in better availability, security, and efficiency. This is as much a “why to” book as it is a “how to” book while still containing a huge collection of “how to” best practices.
- Visible Ops Security: Achieving Common Security And IT Operations Objectives In 4 Practical Steps by Gene Kim, Paul Love, and George Spafford
- This book is derived from the study of hundreds of high-performing IT organizations and provides a four-phase approach to mimicking the best known methods of high performers. Each of the phases is designed to be catalyst (i.e. each one provides a foundation for the next phase), designed to cost less to implement than the value they provide, and is all about practices and processes. This means it can work with the tools you have now. As a side note, I was a contributing author to this book.
David Jamieson | @
The Social Engineer’s Playbook: A Practical Guide to Pretexting
November 23, 2014
by Jeremiah Talamantes
While some security breaches are out of our control (e.g. our personal confidential information stolen from a company’s database), plenty are within our control. We could have stopped or prevented them from happening. In particular, how we respond to “requests/demands” for information or action can affect our threat detection and response capabilities. By and large, everyone I know who’s turned over their credit card to a nefarious “Windows” security expert has done so because they’ve been socially engineered. These fake engineers will say something along these lines to their victims: “If you don’t do it now, we can’t promise to fix the problem and it will get worse for you.” It’s all nonsense of course, but people succumb to the pressure every day. People need to understand they’re being manipulated by expert con men (and women). The Social Engineer’s Playbook describes exactly how this happens and why we fall for it. By educating ourselves to the tactics used by social engineers, the better equipped we’ll be to hang up the phone, say “no,” or laugh in their face when they come knocking.
Tyler Reguly | @treguly
Gray Hat Hacking: The Ethical Hacker’s Handbook
By Daniel Regalado, Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Branko Spasojevic, Ryan Limm, and Stephen Sims
It’s been a decade since I first read Gray Hat Hacking, but I remember I couldn’t put it down. I tend to stay away from technical books because I find so many are poorly written and inaccurate, but this one was full of great information.
When I was developing courses for Fanshawe College, I selected the third edition of this book as a textbook. It lent itself incredibly well to learning the basics of and gaining a solid foundation in information security.
Now in it’s fourth edition, the book still stands out as an amazing point of entry into infosec and a great refresher for pros.
James Wright | @James_M_Wright
Ghost In the Wires: My Adventures as the World’s Most Wanted Hacker
By Kevin Mitnick
This book is an exciting hacker thriller that takes a biographical look into Mr. Mitnick’s early computer career infiltrating multinational corporations’ networks. From spending all night dial-up breaking into phone systems to convincing company employees into installing malicious programs from diskettes sent via snail mail, this book excellently captures the pulse of a genuinely gifted social engineer. His actions invoke criminal charges, ultimately leading him to go on the run. Thought of as a tenet in cybersecurity, people are the first line of defense for any corporate security program. This non-technical book is a must read for an intriguing perspective into securing the human behind the keyboard.
Angus Macrae | @AMACSIA
Hacking Exposed, now in its seventh edition, is still a great introduction into the basics of network attack and defense. Reflecting the evolving need for more specialist focus in different areas, its recognised brand has now of course diversified into editions for mobile, ICS, rootkits, Linux, Windows, wireless, and you name it. The overarching Network Security Secrets & Solutions by Stuart Mcclure and Joel Scambray, however, is for many, myself included, often the start of a much longer security journey.
I first bought the second edition of Hacking Exposed back in 2001, and it immediately changed the way I was thinking about the systems for which I was then responsible. Whilst much of the technology specifics in that edition will now seem quaintly retro, it is both sobering and more than little disheartening to see how some of the actual techniques are still in active use today. It was also the first time I read anything by Bruce Schenier, who penned its poignant Foreword stating “Knowledge is power because it allows you to make informed decisions based on how the world really is …… and not how you may otherwise believe it is.”
Bob Covello | @BobCovello
There are so many great technical books that it is difficult to choose only one. Books from reputable publishers such as No Starch Press and O’Reilly can keep any InfoSec professional busy for many years.
It is always great to have as many technical skills as you can possibly learn. Those are the skills that will get you the InfoSec job you desire, but you also have to be able to communicate your ideas in a way that not only instructs but also makes the audience want to hear more. You need a way that makes people want to engage with you.
You need a course in charisma!
The book I would recommend to anyone who needs to communicate in a way that engages people is The Charisma Myth by Olivia Fox Cabane.
This book takes more than a “win friends and influence people” approach. It offers exercises and techniques that can transform even the most socially inept InfoSec person into someone who can better connect with an audience. It is nice to know how all the exploits work and why it matters to be more security conscious. Don’t just wow them with the technical facts; wow them with your charismatic approach, too!”
Matt Pascucci | @MatthewPascucci
Extrusion Detection: Security Monitoring for Internal Intrusions was written over a decade ago, and it’s more relevant today than it was when it was first published. The technology in this book might have changed, but the concepts are still the same. In order to properly defend the confidential data within your network, there needs to be proper extrusion detection in place to detect intruders who have comprised your internal systems and siphoned out sensitive data.
We’ve seen a huge emphasis on preventing threats but not enough on detecting data as its being stolen. This book gives you some serious food for thought on how this can be applied to your network.
Bev Robb | @teksquisite
Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon
By Kim Zetter
This book is about malware detection and not just run-of-the-mill malware, either. It’s a techno-thriller page turner.
Kim put extensive detail and research into writing her book, pulling all pertinent facts and research together without listing one line of code. She has a great narrative style that both absorbs and enthralls the reader. The book that was extremely hard to put down.
This book does a great job of illustrating and unraveling Stuxnet. Ever wonder what it would be like to have a power grid in your country shut down for a day, week, month, or even longer? Is your country prepared? This book makes you think about the secretive world of cyberwarfare and how one piece of malware forever changed world history.
Thom Langford | @
Below are a couple of suggestions for the list. However, they are not IT security books, as I know they are going to already be some great books on the list. These books, on the other hand, have helped me develop more as a CISO than any IT security book because they have helped me communicate better as well as think of alternative ways to address problems. They are not traditional IT security books in any sense of the term!
Slide:ology and Presentation Zen
I can’t count the number of times a great security message has been turned into the dullest topic ever by poor slides and presentation technique. The same will apply in the boardroom, as well. Get your slides in order, polish your performance, and be blunt. People will take you more seriously. These two books are constant references for me in helping me in that regard.
One Plus One Equals Three
It is so easy to get stuck into the same way of thinking when presented with business problems. This book really inspires you to look at things differently, see the silver lining, and often be far more creative when addressing problems. Many people I know, myself included, read it in one sitting.
Sleights of Mind
Neuroscience applied to magic. Think it isn’t relevant? The same techniques that magicians use to distract and fool their audiences are the same tricks used by phishing scams and cyber criminals. Understanding these techniques and approaches goes a long way to understanding how best to approach these kinds of classic security issues in the workplace.