The Joy of Deep Reading
Preparing for My Presentation at the DC Cyber Summit this Week
This week, I’m presenting at the DC Metro Cybersecurity Summit. I’m in the speaking slot before the last speaking slot before cocktail hour, so, you know, convetted. But I get to talk about my two favorite things in the world: The CyberCanon Project and my joy of deep reading. If you’re in town, I would love to see you there.
As you may or may not know, my main focus of study is cybersecurity strategies that buy down risk. I’ve even written a book about the subject: “Cybersecurity First Principles: A Reboot of Strategy and Tactics.”
But in my spare time, I am the CEO of the all-volunteer nonprofit called the CyberCanon. Our vision is to be the infosec professional's first source for curated, timeless, and must-consume wisdom.
The Problem
I created it back in 2014 when I was the Palo Alto Networks CSO. One of my jobs was to visit customers and one thing I noticed was that many of my peers had stopped doing any kind of Deep Reading. They were overwhelmed with too much content. They didn’t have enough time to consume it all and there was no way to predetermine if the content they were consuming was any good or not.
I noticed that, heroically, in an attempt to stay caught up in a cybersecurity landscape that is constantly changing, many of us try to consume as much information as possible. We listen to books and podcasts on triple speed. We prefer simplistic bullet point blogs from security vendors. We rely on summaries of important content; not really engaging with the subject but reading the overview of the it. When ChatGPT emerged in November 2022, we started to rely on it, and other large language models, as the tool of choice for these kind of quick-hit digests.
The Joy of the Deep Dive
This may seem counterintuitive, but that’s just wrong. I get it, summaries are useful for a quick update. But, when you really want to understand a thing, the only way to do it is to take your time with it, to wallow in it, to challenge it, to connect it to other things that you already know. I’m reminded of David Ulin’s quote from his book “The Lost Art of Reading:”
Reading, after all, is an act of resistance in a landscape of distraction, a matter of engagement in a society that seems to want nothing more than for us to disengage. It connects us at the deepest levels; it is slow, rather than fast. That is its beauty and its challenge: in a culture of instant information, it requires us to pace ourselves.
— David L. Ulin
I love that line. “It is slow, rather than fast.” This may seem arrogant, but I’ve said for years that if you’ve read one book on a subject, you're most likely the smartest person in the room on that subject (Because, you know, nobody reads books anymore). Read two, and you’re the go-to expert for the group. I like to quote my man Tyrion Lannister from the HBO TV series, “Game of Thrones:”
A man needs books as a sword needs a whetstone if it is to keep its edge.
-- Tyrion Lannister
Exactly. You don’t run the sword across the whetstone a couple of times after yesterday’s big battle and expect it to be ready for tomorrow’s. It takes hours to bring a blade up to speed. The same is true for honing your brain.
More is not Better
Here’s the thing. I want you to get use to the idea that doing a thumbnail, cursory reading of everything, flailing wildly in an attempt to stay caught up, isn’t as impactful to your career as making time for a deep dive on that one topic that might change everything in your world; that might give you that one insight that makes all the pieces come together. And with all of our technology (AI summaries, YouTube videos, transcripts, podcasts, etc), books (and I include audio books in that category) are still the best knowledge transfer device that we have. That and a notebook to record your thoughts are all that you need.
A single great book, mined deeply, can prove a powerful education.
-- Sam Rinko
Remember, the goal is not to get through the material as fast as possible. The goal is to learn from the experience of others. I don’t know about you, but I have trouble remembering how to tie my shoes in the morning. If I remain in my own bespoke bubble, only engaging with the dumb ideas that I’ve come up with or notions that I agree with, that’s a recipe for disaster. The goal is to have a conversation with people who are smarter than you. As Rene Descartes said,
The reading of all good books is like conversing with the finest [people] of past centuries.
-- Descartes
How to Find Good Books?
As Thoreau said, first read the good books.
Read the best books first or you may not have a chance to read them at all.
— Henry David Thoreau
The problem though is do you find them? Let’s assume that I’ve convinced you that you need to slow down and spend some time with a book this year on the topic of your choosing. It might take you between 15 and 30 hours to consume it and to write your notes about it. You don’t want to pick a bad book. That would be a colossal waste of time. What you want is a curated list; a list of books that other experts agree are the ones you should consider. That’s where the Cybercanon comes in.
The CyberCanon
The CyberCanon is an all volunteer and ever changing roster of senior cyber professionals who read the books and make recommendations about what to read. We do that through book reviews that we publish on our website. We set it up like the Rock & Roll Hall of Fame. At the end of each year, the committee decides which books to induct into the Hall of Fame.
The point is that the CyberCanon website is a curated list of must-consume wisdom. If you work in a zero trust shop, what’s the one book you should read to understand the complexities of that strategy? According to the CyberCanon committee, that would be George Finney’s, “Project Zero Trust.” If you’re looking to improve your career, where should you turn to get that advice? The committee recommends that you take a look at Helen Patton’s “Navigating the Cybersecurity Career Path.”
After 15 years, the CyberCanon committee has inducted just over 50 books into the Hall of Fame. If you want to follow Thoreau’s suggestion to read the good books first, start with the CyberCanon’s 50. When you have finished those, we have also published reviews on over 200 books; books that maybe not everybody in the profession has to read but, if you’re interested in the topic, they are really good. If you are following Sam Rinko’s idea of finding that one great book, start there. And remember, you don’t have to get through the 50 as fast as possible. Just pick one. Do a deep dive on just one. When you’re ready, do the next one; and then the next. Take your time. Learn. Write your notes. You’ll be surprised about how many books you’ll have under your belt in a few short years.
I get asked all the time which books from the CyberCanon 50 do I recommend first. I always give a different answer depending on what day of the week it is and what mood I’m in, but here are three of my favorites.
Cuckoo’s Egg
The first one is The Cuckoo’s Egg published by Dr Cliff Stoll in 1989. This is the book that turned IT professionals of a certain age into cybersecurity professionals. Before Cuckoo’s Egg, cybersecurity wasn’t really a thing yet. Back then Dr. Stoll was an astronomer at the Lawrence Berkeley National Laboratory designing telescope optics for the Keck Observatory. But his project lost funding and he needed a job.
Everybody on campus liked him. He was, and is, wicked smart, charming, and had a touch of the autism. And, he was a lefty liberal. I mean, in terms of politics, there’s middle of the road, left of center, extremely left of center, and then there’s cliff. He made his own clothes, gardened his own food, and wore long hair and earrings. He was that guy and everybody liked him.
The IT department said, “Hey Cliff why don’t you come over here and run this Unix lab for us. You’re a smart guy. You understand Unix. And oh, by the way, we have this accounting error for the student database records.” Back then, we charged students for computer time and every month, across the entire student body, it was off by 75 cents and nobody could figure it out. “So cliff, run this Unix lab for us, track down this 75 cent accounting error, and when your astronomy job gets its funding next year, go back to your astronomer job. But, in the meantime, you can help us out.”
Well, that 75 cent accounting error was the first indicator of what may very well be the first cyber espionage campaign. It was run by the Russians using East German hacker mercenaries to break into US academic institutions in order to break into us government institutions; because, back then, there wasn’t any cybersecurity. It was all just strings and cans.
Cliff treats it like a science experiment. He collects data and develops hypotheses. He single handedly invents incident response. But the best part is that, here is this lefty liberal, who hates the man, and anything the government is doing, and now, he is on the phone, every week, trying to help, the CIA, the FBI, and the NSA understand the magnitude of the problem. There’s even a love story that my wife appreciated and there is a chocolate chip cookie recipe, in the back, that I’ve tried.
This book came out when I was in grad school. Instead of doing my thesis, I spent the weekend reading it. It changed my career trajectory like it did for many of my peers. I was going to be an IT guy. For the first time, being a security guy was an option and many of us lept at the chance.
Back then, authors put their real email addresses in their books. As soon as I finished it, I sent Dr. Stoll a gushing email telling him how much I loved it. He answered me in about 15 minutes (The internet world was smaller then) and I have been a fan ever since.
If you haven’t read this yet, by all means, put this at the top of your reading queue.
The Perfect Weapon
Next is “The Perfect Weapon” published by NYTs journalist David E. Sanger in 2018. It covers nation state cyber activity from the likes of China, Iran, North Korea, Russia, and the United States from about 2010 to 2018. And, if you can’t bring yourself to read the entire book, there is a two-hour HBO documentary that covers the same ground that Sanger produced.
Here’s a quick story from the book. In 2014, President Obama launched an electronic warfare operation, referred to as "left-of-launch," targeting the North Korea nuclear missile program. The idea was similar to what he did with Stuxnet, Operation Olympic Games, back in 2010, that targeted the Iranian nuclear enrichment facility at Natanz. In this operation, the US targeted the North Korean missile itself, the Musudan, an intermediate-range ballistic missile, that could strike U.S. bases in the Pacific. While testing, North Korea attempted multiple launches. Most failed. Many exploded in mid-air. Sanger claims that most of those failures were due to this "left-of-launch,"operation.
That operation didn’t get the headlines that Stuxnet did, but that’s why you read books, especially this one. The deep dive gets you the details of things that you may never have heard about.
Tracers in the Dark
My last recommendation Andy Greenberg’s “Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.” This is the best cybercrime book I’ve read in over a decade. According to Greenberg,
The book is about the advents of cryptocurrency tracing as a law enforcement investigative technique.
What that means is that if you had any notion that cryptocurrency transactions in general, and Bitcoin transactions in particular, were anonymous, Greenberg completely shatters that idea. He documents the research of Sarah Meiklejohn (a university researcher), Tigran Gambaryan (an IRS Special Agent), Chris Janczewski (another IRS Special Agent), and Michael Gronecker (The CEO of Chainalysis) and then tells the stories of how law enforcement used those research techniques to investigate some of the most successful law enforcement operations in recent years.
Silk Road
Colonial Pipeline
Mt. Gox (The Bitcoin Exchange)
The BTC-e bitcoin trading platform
Greenberg also covers the takedown of criminal market places like
Alpha Bay
Welcome to Video
Hansa
The CyberCanon Committee has inducted two of Greenberg’s books in the Hall of Fame. This one and his 2019 book “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers” about the Russian cyber attacks targeting Ukraine two years before the current war.
Take Away
The CyberCanon is filled with must read books, something for everything you need, and curated by a team of veteran professionals. Go to the list and pick your book for some Deep Learning. As David Brooks says,
Reading a book puts you inside another person’s mind in a way that a Facebook post just doesn’t.
-- David Brooks
I know it’s counterintuitive that more is not better. It’s tough to get your head around that idea. But it’s true. A deep dive on a subject that you want to master is way more impactful than skimming vendor bullet lists or scanning AI generated summaries. Those tools have their place. I’m not saying they don’t. But if you want to master a subject, the deep dive is the way to go and the book is the perfect delivery mechanism.
And that’s what I’m talking about at this week’s DC Cyber Summit this Week. My slot is 4:25 EST on Thursday, 17 July at the Tysons Corner’s Ritz-Carlton in McLean, VA. If you’re in town, please come out. I would love to meet you.
References
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL https://www.amazon.com/dp/1394173083/
Andy Greenberg, 2022. Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency [WWW Document]. Goodreads. URL https://www.goodreads.com/book/show/60462182-tracers-in-the-dark
Rick Howard, Andy Greenberg, 2024. Bonus Episode: 2024 Cybersecurity Canon Hall of Fame inductee: Tracers in the Dark by Andy Greenberg. [Podcast]. The CyberWire. URL https://thecyberwire.com/podcasts/cso-perspectives/5569/transcript
Rick Howard, Ben Rothke, Larry Pesce, 2025. Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency [Hall of Fame Review]. CyberCanon. URL https://cybercanon.org/tracers-in-the-dark-the-global-hunt-for-the-crime-lords-of-cryptocurrency/
Andy Greenberg, 2019. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers [Book]. Goodreads. URL https://www.goodreads.com/book/show/41436213-sandworm
Rick Howard, 2020. Cybersecurity Canon Book Review: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers [Hall of Fame Review]. CyberCanon. URL https://cybercanon.org/cybersecurity-canon-book-review-sandworm-a-new-era-of-cyberwar-and-the-hunt-for-the-kremlins-most-dangerous-hackers/
Clifford Stoll, 1989. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage [Book]. Goodreads. URL https://www.goodreads.com/book/show/18154.The_Cuckoo_s_Egg
Rick Howard, 2014. The Cuckoo’s Egg [Hall of Fame Review]. CyberCanon. URL https://cybercanon.org/the-cuckoos-egg/
David Sanger, 2018. The Perfect Weapon: How the Cyber Arms Race Set the World Afire [Book]. Goodreads. URL https://www.goodreads.com/book/show/36560496-the-perfect-weapon
David Sanger, 2020. The Perfect Weapon [HBO Documentary]. IMDb. URL https://www.imdb.com/title/tt11354168/
John Davis, 2025. The Perfect Weapon: War, Sabotage and Fear in the Cyber Age [Hall of Fame Review]. CyberCanon. URL https://cybercanon.org/the-perfect-weapon-war-sabotage-and-fear-in-the-cyber-age/
David L. Ulin, 2010. The Lost Art of Reading: Why Books Matter in a Distracted Time [Book]. Goodreads. URL https://www.goodreads.com/book/show/8518218-the-lost-art-of-readingGeorge Finney, 2022. Project Zero Trust: A Story about a Strategy for Aligning Security and the Business [Book]. Goodreads. URL https://www.goodreads.com/book/show/62061375-project-zero-trust (accessed 7.15.24).
George Finney, 2022. Project Zero Trust: A Story about a Strategy for Aligning Security and the Business [Book]. Goodreads. URL https://www.goodreads.com/book/show/62061375-project-zero-trust (accessed 7.15.24).
Rick Howard, 2024. Project Zero Trust: A Story about a Strategy for Aligning Security and the Business [Hall of Fame Review]. CyberCanon. URL https://cybercanon.org/project-zero-trust-a-story-about-a-strategy-for-aligning-security-and-the-business/
Helen Patton, 2021. Navigating the Cybersecurity Career Path [Book]. Goodreads. URL https://www.goodreads.com/book/show/59701522-navigating-the-cybersecurity-career-path
Rick Howard, 2025. Navigating the Cybersecurity Career Path [Hall of Fame Review]. CyberCanon. URL https://cybercanon.org/navigating-the-cybersecurity-career-path/
You are singing my song Patrick!
Great post. Deep reading to learn and reading novels for pleasure are two of my favorite things. I'm also a believer in the idea that taking notes on our deep reads - in our own words - forces us to really understand a topic and helps it to stick with us.