"The CERT Guide to Insider Threats." "The Girl with the Dragon Tattoo." "Neuromancer." What do these books have in common? If Rick Howard, CSO of Palo Alto Networks, has his way, these will be among the books that all cybersecurity professionals read.
Howard has posted a blog containing a draft of what he calls the "Cybersecurity Canon," a list of must-read books that "genuinely represent an aspect of the community that is true and precise and that, if not read, will leave a hole in the cybersecurity professional's education that will make the practitioner incomplete."
Howard tells Information Security Media Group: "I've always been a fan of the books. I'm always a little bit astonished our community doesn't embrace them more completely."
What started as a pet project has started to gain traction. Howard was asked to speak on the topic at RSA Conference 2014, and he's now fielding a survey to help gauge what should or shouldn't be included on the definitive list of cybersecurity must-reads.
Howard's draft list includes 20 books, both fiction and non-fiction, including "The Blue Nowhere" by Jeffery Deaver, "Cryptonomicon" by Neal Stephenson and "We Are Anonymous" by Parmy Olson.
Initially, Howard thought the canon would consist of mostly non-fiction, technical writings. "But as I was going through this, there's been a lot of [discussions] about enticing new folks into the field," he says. "What if we want to hand those folks books that represent truthfully what goes on in our industry, that's more exciting and is not like they have to do homework? We started expanding into novels that represent our community truthfully, but tell a great story and are written well."
A lot of the books on the list have to do with a specific adversary's motivation, like hacktivism, crime, espionage or warfare, Howard notes. "If you can find a book or two that captures the essentials of that subject, that's something we probably should all have on our utility belt."
For a book to make it into the canon, it must accurately depict the history of the cybersecurity community; characterize key players or significant milestones in the community; or precisely describe technical details that do not exaggerate the craft, Howard says. And the best books will meet all three of these criteria.
Once the survey wraps up, Howard will finalize the first edition of the Cybersecurity Canon and announce it during Palo Alto Networks' Ignite 2014 Conference, to be held March 31 - April 2 in Las Vegas.
Afterward, he plans to develop a committee of individuals who revise the list each year and update the criteria for inclusion. "We want to grab a group of folks in the community who are interested in the topic and let them take a shot at refining our criteria, adding to the candidate list and then opening it up to the community to vote on the next books to be added to the canon," Howard says.
The details on who will be included in the group, which likely will meet this summer, are still being worked out, he says.
Howard hopes the Cybersecurity Canon list of important books helps attract more people to careers in the field. "If I can entice you by reading a book ... to go further into cybersecurity - that may be a way to get more folks into our community."
Howard discusses the Cybersecurity Canon further in a video interview at RSA Conference 2014 (see: The Cybersecurity Canon: Must-Reads).