Book recommendations part II

In 2019, I shared 15 book recommendations tailored for CSOs and CISOs, focusing on security, leadership, and personal growth. Now, five years later, I’m expanding that list with 15 more outstanding reads - books that have influenced my thinking and earned my 5-star rating. Whether you’re a seasoned professional or just curious about these topics, this list offers insights and inspiration to sharpen your skills and broaden your horizons.

As an experienced security and cybersecurity leader, I often look beyond the “security box”: I already understand what needs to be done in security, but figuring out how to make it happen is more challenging. That’s why I gravitate toward books on human behavior, emerging technologies, business, leadership, risk management—and a bit of science fiction for a glimpse into the future. 

You can find my complete reading list on my website or on Goodreads. Since 2019, I’ve rated more than 100 books with four or five stars. Keep in mind, my ratings are influenced by my existing knowledge, current interests, and the books I've read earlier, so your experience may differ.

Interestingly, my reading habits have shifted over the past five years: I used to consume a fairly even mix of physical books, e-books, and audiobooks (with e-books edging out slightly). Now, half of my book consumption is done in audio format, and e-books have become my least used medium.

Now to the books I've selected. Grouped per high-level topic, in no particular order.

Security

🌟Strategic Security: Forward Thinking for Successful Executives by Jean Perois

An excellent overview of the challenges in running a security department, paired with practical strategies to address them. Topics range from strategic thinking and selling security initiatives to implementing and measuring security programs, building awareness, fostering creativity, and personal development. A highly recommended read - even for seasoned security practitioners.

🌟This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth

A through examination of the vulnerabilities in our increasingly digital world. While the author discusses many high-profile breaches and incidents that have already been extensively documented, they do so in a refreshingly insightful way. This book offers the most detailed exploration of the software vulnerability market I’ve encountered. It’s truly concerning that governments allocate vast sums of money to acquire vulnerabilities for offensive or surveillance purposes.

🌟Security Chaos Engineering: Sustaining Resilience in Software and Systems by Kelly Shortridge, Aaron Rinehart

A book that questions conventional approaches to building secure IT systems. By reframing the discussion from security to resilience, the author offers a fresh perspective on software design and implementation, particularly regarding application design, development, and testing. 

🌟Putin's Trolls: On the Frontlines of Russia's Information War Against the World by Jessikka Aro

Jessikka is a Finnish journalist who has faced harassment, smear campaigns, and threats ever since she began reporting on Russian disinformation operations and troll factories. This book not only explores her personal experiences but also highlights other cases in which Russia has attempted to discredit and silence journalists and researchers.

Business, Leadership

🌟Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley by Antonio García Martínez

An entertaining look at the Silicon Valley startup scene and the early days of Facebook’s advertising model. This book offers a starkly cynical perspective that might make you reconsider your startup ambitions.

🌟The Four Workarounds: Strategies from the World's Scrappiest Organizations for Tackling Complex Problems by Paulo Savaget

A great book on real-world "hacking", introducing four workaround strategies - piggyback, loophole, roundabout, and the next best - supported by numerous examples. It’s all about creatively navigating rules to solve problems and getting things done.

🌟Devops for the Modern Enterprise: Winning Practices to Transform Legacy It Organizations by Mirco Hering

An excellent, concise introduction to Agile IT, covering both the technical foundations and the human elements critical to success.

🌟The Death Of Expertise: The Campaign Against Established Knowledge and Why it Matters by Thomas M. Nichols

A fascinating look at a world where disagreeing with someone is considered an insult and all opinions - no matter how far-fetched - are deemed equally valid. The author examines what’s wrong with our education system, why having vast amounts of information hasn’t made us any smarter, and how rising competition is affecting journalism. There’s also a critical discussion of how people confuse democracy with the notion that all opinions hold the same weight. While experts aren’t always right, the book delves into the potential implications of dismissing expertise altogether.

Artificial Intelligence

🌟AI 2041: Ten Visions for Our Future by Kai-Fu Lee, Chen Qiufan

This collection features ten AI-themed sci-fi stories by Chen Qiufan, each paired with commentary and insights from AI expert Kai-Fu Lee. It’s an excellent blend of fiction and factual analysis, perfect for sci-fi enthusiasts interested in learning about AI. The stories touch on a wide range of AI concepts - from natural language processing and deepfakes to VR/AR/MR, smart cities, autonomous weapons, and the displacement of jobs by AI. Particularly commendable is the attention to security, privacy, and ethics, offering a balanced and thought-provoking perspective.

🌟Scary Smart: The Future of Artificial Intelligence and How You Can Save Our World by Mo Gawdat

This book explores both the positive and negative potential outcomes of AI and proposes ways to amplify the benefits. The author posits that three events are inevitable: (1) AI will emerge, unstoppable; (2) it will surpass human intelligence; and (3) mistakes will be made. Because there’s no reliable way to contain a superintelligence, the author argues we must teach it to care for humanity as if we were its parents. 

Human Behavior

🌟Never Split the Difference: Negotiating As If Your Life Depended On It by Chris Voss

I've read quite a lot about behavioral  economics, but it's been mostly quite theoretical and academic studies. This book gives excellent advice how to use that knowledge in practice. Interesting cases varying from negotiating apartment rent to negotiating ransom with kidnappers.

🌟The Future of the Mind: The Scientific Quest to Understand, Enhance, and Empower the Mind by Michio Kaku

An eye-opening and highly entertaining book that explores what we know about how the brain works, the studies and experiments undertaken to deepen our understanding, and the intriguing possibilities of re-wiring our minds. It even ventures into sci-fi territory by considering what might happen if we could upload our brains into a computer.

🌟The Unthinkable: Who Survives When Disaster Strikes - and Why by Amanda Ripley

An exploration of human behavior during disasters, this book emphasizes the unpredictability of how people will react - who might freeze, who might act heroically, and how the brain and body can fail in surprising ways (including temporary stress-induced blindness). One key takeaway is that mentally rehearsing worst-case scenarios in advance can be life-saving when crises strike.

🌟The 48 Laws of Power by Robert Greene

Empathy, teamwork, ethical decisions? Nope. How about manipulation, taking credit for work of others and crushing your enemies?  The book is a compelling yet troubling read, presenting 48 laws that flip today's expected  norms on their head, making for a peculiarly refreshing experience. Each law is backed by historical narratives, making it a recommended read for its thought-provoking content, albeit with a caution against using it as a behavioral blueprint.

🌟Humankind: A Hopeful History by Rutger Bregman

You’ve probably heard about Lord of the Flies, the Stanford Prison Experiment, the Bystander Effect, or other studies and stories suggesting that people are inherently selfish, untrustworthy, and even dangerous - leading us to treat one another with defensiveness and suspicion. This author, however, dismantles those assumptions, arguing that most people are actually quite decent at heart. According to the book, “homo puppy” (humankind’s cooperative, playful nature) has triumphed in large part because we’re wired to work together. It’s an excellent read that prompts reflection on your own biases and behaviors - a worthwhile exercise, even if you don’t fully agree with the author’s conclusions.

The end - with a bonus

That's it - I hope you found it useful. All of my previous recommendations remain valid, so feel free to check those out as well. 

As the saying goes - “All work and no play makes Jack a dull boy” (famously quoted in The Shining) - I’d also like to include two bonus suggestions for those who enjoy science fiction: The Three-Body Problem series by Liu Cixin and the Bobiverse series by Dennis E. Taylor are excellent.

Happy reading - and now that you know my preferences, I’d love to hear your reading suggestions!

Ready or not - EU legislation will challenge you

 

A tsunami of EU legislation

A tsunami of EU legislation is on the horizon for organizations. How are you preparing for it?

1. Bring it on -  we're actively preparing
2. We're aware, but believe there's ample time
3. What regulation? 

If you chose (1), congratulations are in order. You likely have a vigilant compliance team keeping the organization up-to-date with coming new requirements. 

For those who chose (2), I strongly recommend an immediate evaluation. New regulation is a 'grey rhino' risk - large, apparent, and approaching, yet often disregarded as distant and non-urgent. 

This post specifically addresses response (3). I'll provide a high-level overview of what's coming to motivate you to start preparing. Read on to understand the implications of these categories and how they might affect your organization.

EU legislation schedule

Below, you'll find a snapshot of new or impending EU legislation. I've categorized them into three groups: Security & Safety, Data, Digitalization & Privacy, and Artificial Intelligence. While I've grouped these based on each law's primary focus, it's important to note that most of these laws intersect across several areas.

(regulation map updated 12th Jan 2024)

Take note of the distinction between regulations and directives. A regulation is a binding legislative act that must be implemented in full across the EU. In contrast, a directive is a legislative act that establishes a goal for EU countries to achieve. However, the method of achieving these goals is left to the individual countries, which can craft their own laws accordingly.

Below, you'll find a very brief explanation of each regulation and directive mentioned in the above image. For comprehensive details, visit the EUR-Lex site, which is a database of European Union law available in all EU languages.

Selected legislation in brief

NIS2: EU directive 2022/2555 on measures for a high common level of cybersecurity across the Union 

The Network and Information Systems 2 Directive is an update to NIS1 focused on improving cybersecurity. It introduces tougher rules to tackle emerging cyber threats and digital challenges. The directive now covers additional sectors, demanding that organizations report major incidents and follow stricter risk management and reporting guidelines. This aims to boost cyber defenses, especially in key sectors.

CER: EU directive 2022/2557 on the resilience of critical entities 

The Critical Entities Resilience Directive is designed to strengthen the protection of vital infrastructure in the EU against threats like natural disasters, terrorism, internal threats, and sabotage. It requires EU countries to pinpoint crucial organizations that deliver key services vital for society and the economy.

DORA: EU regulation 2022/2554 on digital operational resilience for the financial sector

The Digital Operational Resilience Act focuses on increasing the digital robustness of the EU's financial sector. It establishes a detailed set of rules for handling digital risks in financial markets. DORA applies to many financial entities like banks, payment services, investment firms, and insurance companies. Its purpose is to make sure these organizations can manage and endure different types of digital threats effectively.

eEvidence: EU regulation 2018/0108 on electronic evidence in criminal proceedings

The eEvidence Regulation simplifies how law enforcement agencies in the EU can access electronic evidence for criminal probes. It introduces new tools for quicker and more efficient access to digital data (like emails and texts) across borders. The regulation also sets out clear guidelines for member states on managing data access requests, especially those involving private companies, during investigations.

RED: EU delegated regulation 2022/30 to increase cybersecurity and privacy for wireless devices

The Radio Equipment Directive provides a regulatory framework for the marketing of radio equipment. It aims to create a single market for radio equipment by setting essential requirements for safety, health, electromagnetic compatibility, and efficient radio spectrum use. RED was revised to include Article 3.3, which now addresses the security of radio interfaces. This revision mandates that all radio equipment placed on the EU market must comply with this updated regulation to achieve CE marking, signifying conformity with health, safety, and environmental protection standards​.

GPSR: EU regulation 2021/0170 on general product safety

The General Product Safety Regulation is set to become a significant component of the EU's product safety legal framework, replacing the current General Product Safety Directive and the Food Imitating Product Directive. Its goal is to improve the internal market's functioning while ensuring a high level of health, safety, and consumer protection. This is achieved by setting fundamental safety standards for consumer products sold in the EU market.

CRA: EU regulation on horizontal cybersecurity requirements for products with digital elements

The Cyber Resilience Act focuses on establishing uniform cybersecurity standards for products with digital components. Its main objective is to safeguard cyber and data security throughout the entire lifespan of such products. This applies to any product designed for use with a data connection, either physical or logical, to a device or network. The Act mandates that manufacturers must offer security support and software updates to fix known vulnerabilities. 

CSA: EU regulation to  strengthen preparedness to cybersecurity threats and incidents

The EU Cyber Solidarity Act is designed to improve the EU's preparedness, detection, and response to cybersecurity incidents. This Act aims to create a "European cybersecurity shield" and comes with a significant budget to strengthen EU-wide efforts against cybersecurity threats. The Act focuses on improving threat detection, increasing awareness of cybersecurity situations, and strengthening the preparedness and response strategies for major and large-scale cyber threats and attacks. 

Data Act: EU regulation on harmonized rules on fair access to and use of data

The Data Act is aimed at creating harmonized rules for fair access to and use of data generated within the EU. Its primary objectives are to promote fairness, enhance competition, and encourage data-driven innovation. This Act includes regulations on data sharing, access, reuse, and portability. It also encompasses guidelines for data sharing agreements, provisions for accessing data during public emergencies, and obligations for transitioning between cloud services.

DMA: EU regulation 2022/1925 on contestable and fair markets in the digital sector 

The Digital Markets Act Regulation is designed to promote a fairer and more contestable digital economy. The DMA targets the regulation of activities of companies, particularly large platforms, in the digital sector, introducing specific prohibitions and obligations for these 'big tech' companies to ensure competition and fairness. This regulation is part of the EU's effort to address and manage the dominance of large tech companies and to create a level playing field in the digital market.

DGA: EU regulation 2022/868 on European data governance

The Data Governance Act sets out regulations for the re-use of public sector data. It aims to create a unified market in the EU for data mediation services and the processing of data for altruistic reasons. The DGA's main focus is on easing the sharing of data within the EU and across various sectors.

DSA: EU regulation 2022/2065 on a single market for digital services 

Digital Services Act updates the Electronic Commerce Directive 2000 and focuses on illegal content, transparent advertising, and disinformation. It establishes a framework for regulating digital services within the EU, amending previous directives to address the current digital market. It outlines the responsibilities of digital services, particularly those acting as intermediaries, to connect consumers with goods, services, and content, aiming to create a safer and more accountable online environment.

CSRD: EU directive 2022/2464 regarding corporate sustainability reporting

The Corporate Sustainability Reporting Directive (CSRD) requires more companies to provide detailed reports on their environmental and social impact. It aims to make businesses more transparent about how they affect society and the environment.

ePrivacy: EU regulation on privacy and electronic communications

The ePrivacy Regulation will succeed the ePrivacy Directive of 2002. This regulation is an extension of the GDPR and is specifically focused on cookies and other tracking technologies, with a promise of even more stringent protection of internet user privacy. Aimed at companies in the digital economy, the ePrivacy imposes additional requirements related to the processing of personal data.

AI Act: EU regulation on laying down harmonised rules on artificial intelligence

The EU Artificial Intelligence Act is designed to strengthen rules concerning data quality, transparency, human oversight, and accountability. It also addresses ethical questions and implementation challenges across various sectors. The AI Act would classify AI systems according to their risk level and establish specific development and usage requirements for these systems. 

AI Liability: EU directive on civil liability rules to artificial intelligence

The AI Liability Directive seeks to establish uniform rules for non-contractual civil liability regarding damage caused by AI systems. It introduces a 'presumption of causality' that would make it easier for victims to prove damages inflicted by AI-powered software or products. This directive would enable victims to hold providers, developers, or users of AI technology accountable for harm to health, property, or fundamental rights, such as privacy. The directive aligns with the AI Act. 

Be compliant out there!

As you can see, there's a substantial amount to review. It's crucial to assess your current situation and plan for compliance accordingly. The recurring themes in these regulations appear to be thorough risk management, the responsibility of leadership, and significant sanctions in the event of non-compliance.

I strongly recommend that you begin assessing the impact of these upcoming regulations on your organization.

The quest for the truth in cybersecurity data

(Photo by Chris Liverani on Unsplash)

As the saying goes, "if you torture the data long enough, it will confess." Interpreting cybersecurity statistics can be challenging, especially those that receive media attention. It is important to approach these statistics with a critical eye and consider the context in which they were collected, the potential biases of the data sources, and other factors that could impact their accuracy and relevance.

For example, it was recently reported that ransomware attacks in Finland have increased significantly in 2022. However, upon further investigation, I found out that while there were 3 ransomware attacks on essential service providers in 2021, there were 11 such attacks in 2022. This is a whopping 300% increase!

To understand if the increase is really significant, let's consider the total number of essential service providers in Finland, which is estimated to be between 1000 and 2000. Using the conservative number 1000, this means that in 2021, ransomware attacks targeted 0.3% of essential service providers, while in 2022, the number rose to 1.1%. Alternatively, the increase could be described as a 0.8 percentage point increase.

Four times more ransomware attacks this year, or 300% increase, or 0.8 percentage points increase or just saying that there were 8 attacks more than last year? Your pick depending on what message you want to deliver.

Analysing the trustworthiness of cybersecurity statistics or survey results can be hard work. My tips for a quick and dirty analysis are:

• Do you believe that the source of the information is objective?
• Is the tone of the message matter-of-fact rather than attention-seeking?
• Is the method of data collection and analysis described?
• Do the conclusions make sense based on your own view of the situation?

I would be much more inclined to believe the results if I would get Yes to all four questions. 

If you want to dig deeper, you may consider the following factors:

• The context in which the statistics were collected and reported
• Any potential biases of the data sources
• Whether the study covers only successful breaches or also blocked attacks
• The possibility of cherry-picking or random variation in the results
• The source and size of the data and how it was sampled, as well as any explanation of uncertainty levels
• The clarity of terminology, such as the use of terms like "breach," "incident," and "hack"
• The understanding that correlation does not equal causation
• The consideration of absolute risk, not just relative risk
• The presence of other studies that support the results

Going back to that ransomware attack increase example. It's one thing to understand what has happened and another thing to understand why. My example just showed that conclusions can be delivered differently depending on an agenda. Reason for ransomware attacks increase could be for example Russian-Ukrainian war related activity, criminal activity, increase in zero-day vulnerabilities, changes to organizations infrastructure because of remote work or combination of many. The why would be important to know in order to understand risk and decide about possible actions.

Surveys and statistics can be useful in understanding the state of cybersecurity and trends in the field. However, it is important to approach these statistics with caution and consider all of the factors that could impact their accuracy and relevance.

With cybersecurity statistics and surveys, it also applies, that if the results sound too good or too bad - they are probably not true. 

Predicting cybersecurity events in Finland

(Photo by Dollar Gill on Unsplash)

During March-April 2021 I've been speaking/chairing at a few cybersecurity events and courses. Since it's been all remote because of the pandemic, I've spiced up the events by online surveys. One survey was about predicting likelihood of certain cybersecurity events happening in Finland. It was interesting to see and discuss the results.

I asked participants to estimate the likelihood of the following events happening before the end of 2022.

1. Finland enforces legislation to require ISO 27001 certifications from the largest essential service providers
2. Cyber security accountability / leadership will be centralized in Finnish government (e.g. Cyber Ministry)
3. Finland will be among the top three countries in the Estonian national cyber security index (2020: #1 Greece, #2 Czech, #3 Estonia - #8 Finland)
4. A Finnish cyber security company (Revenue >10M€) will be acquired by a foreign company.
5. A major cloud provider will have an interruption of service lasting 8 or more hours impacting many Finnish organization
6. A Finnish company (other than Vastaamo) with over 100 employees will go out of business due to a cyber-attack
7. Cyber-attack causes physical damage which leads to death(s)
8. A Finnish company gets over 1 million EUR GDPR sanction

All 86 participants were experienced security and/or cybersecurity professionals and answers were given anonymously. 

Finnish cyber security company acquired (4), major cloud service interruption (5) and cyber-attack forcing a company out of business (6) were predicted to be most probable. All three events average likelihood were between 60-70%. The least probable event was a cyber-attack causing deathly physical damage. Average and medium results didn't have big difference.

Interestingly almost all events got estimates from 0% to 100%. Only exceptions were Estonian national cyber security index result (3) which top estimate was 90% likelihood and cyber-attack forcing a company out of business (6) which lowest estimate was 10% likelihood. In short, security and cybersecurity estimates were all over the scale. Standard deviation was large - between 25 and 30. 

This was not intended to be any serious study, but a fun survey of how Finnish security and cybersecurity professionals see the probability of some events in almost two years timeframe. 

 

COVID-19: Making sense of cybersecurity for home workers

(Photo by Ali Yahya on Unsplash)

Countermeasures against COVID-19 infection has changed the way we work and communicate. Everyone who can work from home are advised or forced to do so. Some are experienced remote workers, but many are at the first time working out-of-office weeks or months in a row.

Many (if not all) cybersecurity companies and authorities are publishing remote working security guidelines. Despite good advice and intentions, in my opinion many are missing the point. At least from the large organization's point of view where employees use company managed devices.

The advice I've seen typically has a mix of several target audiences: IT departments, remote workers in general, remote workers stuck at home and even individuals using personal devices. It may be difficult to figure out what's home worker's responsibility.

Here´s what is special for remote working currently:

• People are working at home - not at cafes, libraries or other public spaces.
• The whole family is working at home, kids included.
• Everyone is worried on bigger issues than cybersecurity: health of their family, job security, money, etc.
• Everyone is extra stressed because of social distancing and lockdowns. 

The following advice is given from typical large organization's point of view, where remote workers use company provided devices and software, and have professional IT team supporting them.

Do NOT worry:

• Security of your company provided devices. It´s the responsibility of the IT team to make sure that devices, network connections and access to applications are secure: encrypted hard disk, VPN access to company network, strong authentication, anti-malware software in place and all software up-to-date.
• How the security of your home network may affect remote work. It´s good to change default password of your home wifi access point and check the device configuration in order to protect you home. However, your company devices should be protected regardless of your home network. They are configured to allow access also in random cafes after all.
• Absolute confidentiality of work related matters. In reality there may be several family members at home working around the same kitchen table. Do your best and try to find a private corner for the most confidential discussions, but don't stress too much about it.

What you CAN do to protect work related confidential information and company network:

• Follow the company guidelines. Each company may have some special requirements depending on the work and selected tools. Make sure to follow internal communications and act accordingly.
• Use and protect the company device. Keep your company device to yourself and lock the screen when not in use. Sorry, but you need to get personal devices for your own and your family's leisure use. 
• Keep the data at company network or device. Use only your company provided device and file/document storage to store data. If you must handle printed material, make sure to destroy them later in accordance with your company guidelines.
• Keep your passwords to yourself. Nobody - and I mean nobody - should ask and get your password. Not even your trusted IT team or service desk. Do not reuse company password in services which are not work related.
• Think (extra carefully) before you click. Use your common sense when receiving surprising or suspicious emails or other messages. Do not open attachments or links without checking their authenticity. Criminals are busy trying to profit from fear and uncertainty. Phishing and scams are now more common. 
• Ask for help. If you are unsure what to do, see something suspicious or accidentally click a phishing link, contact your organization's service desk or IT support. Better safe than sorry.

In these extraordinary times organizations should take as much cybersecurity burden from employees as we can. Following the simple advice above the users are the strong link of security while the other strong link must be your IT which takes care of technical protection.

Note, that if the use of employees' own devices is allowed to access company network and confidential data, then a totally new can of worms is opened. Don't want to go there now. Good luck.

Take care and stay safe!