Rick Howard, CEO of the CyberCanon Project, has been in cybersecurity long enough to earn what he jokingly calls the "Get Off My Lawn Champion" title — not because he has a grudge against the next generation, but because he's watched the entire profession develop a habit he believes is holding it back. During his keynote at the 2025 Bitwarden Open Source Security Summit, Howard challenged the audience with a simple message: cybersecurity professionals have stopped reading deeply, and it's time to change that.
The problem with summaries
During his time as CSO at Palo Alto Networks, Howard visited customers constantly. One pattern stood out: his peers weren't deep reading anymore. They were overwhelmed with content, had no time to consume it, and couldn't tell if what they were reading was even good.
In an attempt to stay current in the constantly changing cybersecurity field, professionals have turned to familiar shortcuts:
Speed over substance: Listening to books and podcasts at triple speed, absorbing fragments rather than forming a real understanding of the material
Surface-level sources: Preferring simplistic bullet-point blogs from vendors over long-form analysis
Summaries over engagement: Relying on overviews instead of engaging with actual content, skimming the surface without challenging or connecting the ideas
When ChatGPT emerged in November 2022, AI-generated digests joined this list of shortcuts.
Howard argues this approach is fundamentally wrong. In his view, summaries are useful for quick updates, but when someone really wants to understand something, they have to take their time with it. Sit with it. Challenge it. Connect it to what they already know.
Why books still matter
According to René Descartes, the reading of all good books is like conversing with the finest people of past centuries. That kind of conversation takes time and focused attention, not a couple of quick passes.
"Reading, after all, is an act of resistance in a landscape of distraction... It is slow rather than fast." – David Ulin
Howard's central argument builds on this idea: one deep dive on a single topic delivers more impact than flailing wildly trying to read everything. Despite all the technology, including AI summaries, YouTube videos, transcripts, and podcasts, books, including audiobooks, remain the best knowledge-transfer device available.
"If someone has read one book on a subject, they're probably the smartest person in the room on that topic." – Rick Howard
The CyberCanon solution
So, how do professionals know where to start? Howard created the CyberCanon Project in 2014 as an all-volunteer nonprofit with one vision: to be the information security profession's first source for curated, timeless, must-consume wisdom.
The project works like the Rock and Roll Hall of Fame. A committee of senior cyber professionals reads books, publishes reviews, and each year inducts books into the Hall of Fame. After 15 years, the CyberCanon has inducted just over 50 books. The collection spans a wide range of cybersecurity topics. Professionals looking to understand the complexities of Zero Trust can start with George Finney's “Project Zero Trust.” Those navigating their cybersecurity career path can turn to Helen Patton's book by the same name.
Three books every cybersecurity professional should read
Howard recommends three favorites from the CyberCanon 50, spanning three decades of cybersecurity history:
“The Cuckoo's Egg” (1989) by Cliff Stoll
Before this book, cybersecurity didn't really exist as a distinct field. This book turned IT professionals of Howard's generation into cybersecurity professionals.
Cliff Stoll was an astronomer who lost funding and ended up running a Unix lab. His boss asked him to track down a 75-cent accounting error in the student database. That 75 cents turned out to be the first indicator of what many consider the first cyber espionage campaign. Russians were using East German hacker mercenaries to break into US academic institutions to access government systems.
Stoll treated it like a science experiment and single-handedly invented incident response. That alone makes the book a landmark in cybersecurity history.
When the book came out in the late 1980s, Howard was in grad school. Instead of working on his thesis, he spent a weekend reading it, and it changed his career trajectory. He emailed Stoll, who responded in 15 minutes. Howard has been a fan ever since.
“The Perfect Weapon” (2018) by David Sanger
This book covers nation-state cyber activity from China, Iran, North Korea, Russia, and the United States from 2010 to 2018. Those who prefer video can watch an excellent two-hour HBO documentary covering the same material, produced by Sanger.
One standout story from the book: In 2014, President Obama launched "Left of Launch," an operation targeting North Korea's nuclear missile program. The approach resembled the Stuxnet operation that disrupted Iranian nuclear enrichment in 2010. The US targeted the Musudan missile itself, which could strike US bases in the Pacific. About 88% of North Korea's test launches failed, many exploding in midair. Sanger reports that most failures were due to this operation.
Stuxnet dominated headlines; Left of Launch didn't. The Perfect Weapon surfaces stories like these — operations that shaped global security but never made the news. It's the kind of depth that only comes from reading the full book, not the summary.
“Tracers in the Dark” by Andy Greenberg
Howard calls this the best cybercrime book he has read in over a decade. Greenberg demolishes the assumption that cryptocurrency transactions, especially Bitcoin, are anonymous. He documents how researchers developed cryptocurrency tracing into a law enforcement technique, then chronicles the major cybercrime takedowns that followed, including Silk Road, the Colonial Pipeline criminals, Mt. Gox, and Alpha Bay.
The most gripping story in the book follows two IRS special agents who traced a blockchain trail to unmask the operators of the largest child exploitation site on the dark web. The investigation led to hundreds of arrests worldwide.
The path forward
"A single great book, mined deeply, can prove a powerful education." — Sam Marrico
Learning something new is counterintuitive. To make meaningful progress, professionals don't need to skim everything as fast as possible. They need to take their time, understand deeply, immerse themselves in the material, and write about it.
The CyberCanon 50 offers a curated starting point for anyone ready to commit to that kind of depth. Howard recommends beginning here:
Visit the CyberCanon website and read some reviews
Pick a book from the CyberCanon 50
Read it deeply and take notes
Pick the next one and repeat
“The Cuckoo's Egg,” “The Perfect Weapon,” and “Tracers in the Dark” are three strong places to start. Pick one, clear the evening, and find out what 75 cents, an 88% failure rate, or a blockchain trail can teach about the world of cybersecurity.