About Cybersecurity Canon
A Resource for Security Professionals Comes to Higher Education
Originally published as Helen Patton, “The Cybersecurity Canon: A Resource for Security Professionals Comes to Higher Education," Security Matters (blog), EDUCAUSE Review, August 6, 2020. © 2020 Helen Patton.
For years, cybersecurity professionals have relied on the the Cybersecurity Canon to learn about core aspects of information security and cybersecurity, and now this timeless resource is moving to The Ohio State University.
What Is the Cybersecurity Canon?
Cybersecurity professionals know that there are many resources to help them learn about the industry. The challenge is knowing which resources are credible and useful. Rick Howard, CISO at Palo Alto Networks, created the Cybersecurity Canon in 2013 to address this need. The Cybersecurity Canon is a useful, curated catalog of:
"must-read books for all cybersecurity practitioners—be they from industry, government or academia—where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional's education that will make the practitioner incomplete."1
Thanks to Howard's work, cybersecurity professionals have a place to find meaningful information and resources that illuminate the technical, historical, and political aspects of the profession.
Why Ohio State?
In 2020, Howard left Palo Alto, and that left the Canon in need of a new home. Coincidentally, Helen Patton, CISO at The Ohio State University, was both a Canon committee member and co-director of Ohio State's new Institute of Cybersecurity and Digital Trust. The need to find the Canon a new home matched perfectly with the mission of the Institute, and Ohio State jumped at the chance to become the facilitator of the Canon.
How Is a Book Admitted to the Canon, and How Does It Get into the Hall of Fame?
Book reviews are collected via crowdsourcing throughout the year and are augmented by reviews completed by a volunteer committee of cybersecurity professionals. The reviews result in a recommendation (or not) that the book be nominated as a candidate for the Canon or the Hall of Fame. Each year, the committee evaluates the nominations and admits books into the Canon. A few exceptional candidates are awarded Hall of Fame status.
The criteria for a book to be admitted into the Cybersecurity Canon Hall of Fame is simple to understand; however, it is difficult for any one book to achieve this status. Such a book must explore a cybersecurity topic deeply, reference historical activities and themes, and have implications for the future of cybersecurity practitioners. In other words, the book must rise to the level of being required reading for anyone who wants to become an expert in the cybersecurity profession.
The Future of the Canon
Ohio State plans to maintain the core of the Canon in its current state—reviewing books and annually celebrating Hall of Fame winners. In the future, the university will also explore adding other formats, such as academic articles, white papers, online media presentations, movies, etc.
The Canon can be used to facilitate engagement among members of the cybersecurity community, as well as faculty, staff, and students in the higher education community; to enhance understanding of the world of cybersecurity; to preserve the history of cybersecurity; and to advance best practices within the cybersecurity community. Housing the Canon at a university is beneficial because the higher education community is already engaged and well-versed in exploring and evaluating books and other resources.
If you are a researcher, practitioner, student, or teacher, you can learn from and contribute to the Canon. As the administrators of the Cybersecurity Canon, Ohio State will continue to collaborate with practitioners from the cybersecurity industry, recruit industry practitioners to be on the Canon committee, and recommend books for review to ensure the input into the Canon is as relevant and inclusive as possible.