I have a regular set of go to books both for myself and what I recommend to others at all stages in their career. Here they all are with what I think, at least for me, is the key take away. Of course, there are not many classic security books here. Most of the challenges of a security leader’s role is, well, leadership along with a healthy dose of program management, culture development, technical attention to detail, risk management and more. In fact, the accumulation of security knowledge might be one of the easier parts of the job.
 | The importance of attention to detail and the compounding effects of doing all the small things really well. Link |
 | “We suffer more in imagination than in reality”, and many other daily reminders of the usefulness of Stoicism. Link |
 | Maintaining focus on a small number of key priorities over the potential for relative inattention on the many. This is, of course, obvious but requires techniques and discipline to do so - especially while having a “real” job. Link |
 | A reminder, and plenty of case studies on the importance of sublimating your ego when leading or managing any effort. This is a useful reminder for security people when a big pattern in our work is being ok with others taking the credit for risk reductions that behind the scenes were a result of our long term influence or, indeed, short term tactical coercion. Link |
 | The absolute classic management book. If, as a manager and leader, you do most of what is in this book you will be unstoppable. I re-read this regularly to remind myself of where I have relapsed in some of the recommended practices. Link |
 | Ostensibly a guide for building start-ups but broadly applicable for any role in which you are building or re-building a new team, function, a major program or anything where - if you’re honest - the odds are kind of stacked against you and you’re immersed in a ton of ambiguity. Link |
 | A lot of behavioral economics has been refuted, or more precisely some of the original experimental evidence has proven flawed. However, a lot hasn’t and even that which has I suspect with improved experiments will actually be shown to be correct. I’ve seen a lot of use in this approach to structure many aspects of a risk management program. Link |
 | I’m a natural worrier and catastrophizer. This has, I suppose, made some aspects of my career better than they otherwise would have been. Indeed, a key success criteria for many security people is a healthy dose of paranoia to get ahead of realized risk. But there have been times where this has reduced my quality of life. It helps to revisit to this classic. Link |
 | I didn’t realize how important and useful marketing is, for many things, but especially security and risk programs, until I read this book. It was insights from this book that led me to, literally, brand some key security programs with associated logos. This enabled recognition, more funding and was a reminder for the Board during their updates. Link |
 | This isn’t the most exciting topic, but if you want a crash course in business concepts if you have a predominantly non-business background, then this is an excellent and quick means to upload that knowledge. Link |
 | A gripping story of the design and build of a state of the art mini-computer (for its time). I first read this when I was an undergraduate doing intern placements building at the intersection of new hardware and software and it was, and still is, a refreshing reminder that doing this at any level is hard, very hard. Link |
 | |
 | I’ve learnt more about writing and influence, let alone marketing, from this book than any other. This is important given how much of the security leader’s role is communications and influence. Link |
 | |
 | You can skip most work and personal productivity books and simply study this and revisit it regularly to keep improving. This helped me change how I approached productivity by building small actions around my life aligned to triggers in other work. Link |
 | I’m not an economist, but I’ve worked with many and picked up a lot of economics concepts over the years. In hindsight I could have saved myself a lot of time and just read Coase’s classic. Link |
 | Similarly, if you’ve ever been puzzled about how money, banking and the global economy work then most of the “unlocks” to that understanding are in this wonderful book. It coherently explains how money is created and works. Link |
 | The design of products, workflows and processes are incredibly important for security. Understanding design is hugely beneficial to do this well. This book is a classic launch point for that knowledge and, like many on this list, is so beautifully written that it's a pleasure to revisit. Link |
 | Another Don Norman classic. We all encounter and have to mitigate the effects of complexity in our organizations and often the wider ecosystems we occupy. This book tackles that, not from a complexity theory perspective, but rather from design. Link |
 | Possibly the funniest business book you’ll ever read. A combination of further work on applied behavioral psychology, economics, marketing, communications and branding. This easy read is bristling with take away points you’ll be itching to apply to your work. Link |
 | I was relatively late to control theory overall but this book was a real eye opener when I first read it a few decades ago. Literally every page causes you to pause and say, “Aw, crap, that's why that thing I did didn’t work out.” Link |
 | In the same vein as some of the other books on this list, you can save reading dozens of risk theory textbooks and simply read this to build a much deeper and intuitive understanding of the art and practice of risk management. Like many great books on this list, you always learn something new on each re-read. Link |
 | From one of the titans of financial risk modeling, based a lot on his experience at Goldman Sachs, this is a great book to help you build a more intuitive understanding of the actual details behind the famous aphorism, “all models are wrong, but some are useful”. Link |
 | One of Taleb’s earlier works from which you see echoes in his other work like The Black Swan. This is another useful book that helps you build an intuitive understanding of randomness, complexity, expectations, probability and how to work with uncertainty. Link |
 | From some of the most iconic builders of Google’s technical infrastructure this is a book that helped me more viscerally understand that problems at scale can often be wholly different problems, and to understand how hyper-scale cloud really works from a technical and economics perspective. Link |
 | The reference book on how to do security and reliability well. While based on work at Google it has lessons for all types of organizations. The original criticism that much was not achievable in most organizations has not stood the test of time given how much of the leading practices have now become standard. Link |
 | This book taught me that even in the most well run companies (at that time) that “politics” are an inevitable part of even the most technical decisions. That often (always?) there is in fact no one right answer in the face of uncertainty and so how decisions are then made require lobbying, influence, and politics. Link |
 | This is a relatively old book (2003) but is one I wish I’d have been able to read earlier. If you're a security leader that hasn’t come from a software engineering background then every chapter will contain an insight that will have you say, “Oh, that’s why that dev team hated what I was trying to get them to do!” Link |
 | This is another old book (1999) that rewired my security thinking from static to a dynamic interplay of defenders and attackers. This led to my, not unique, insight that “attackers have bosses and budgets too”. You don’t have to absolutely defeat attackers at all costs but you can defeat them enough by simply tilting the time and cost game in your favor. Link |
 | The classic textbook for security engineering. Not something to read cover to cover but an essential and useful desk reference (or online) to dip into. Link |
 | Hat tip to Gary McGraw for one of (or the?) earliest software security books. This is still worth a reread to remind yourself of the more fundamental concepts of building security in, that we still need to get better at. Link |
 | Another classic in its own right. It’s still a useful book despite being very dated because of the principles based approach from Cheswick and Bellovin. It can be just as instructive for modern day environments from cloud networks to application service meshes. Link |