Ben’s Book of the Month: Review of “Tribe of Hackers Security Leaders: Tribal Knowledge from the Best in Cybersecurity Leadership”

Posted on by Ben Rothke

Over 20 years ago, Hacking Exposed: Network Security Secrets and Solutions by Stuart McClure, Joel Scambray and George Kurtz was first published. It was so popular that it spawned several very successful follow-up versions, covering a wide array of information security topics, from ICS and SCADA to wireless, web applications, Linux and more.


It looks like the Tribe of Hackers series from Marcus Carey and Jennifer Jin is taking that same path. The first volume was Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World, and their most recent is the just-released Tribe of Hackers Security Leaders: Tribal Knowledge from the Best in Cybersecurity Leadership (Wiley 978-1119643777). 


In the book, Carey and Jin ask many questions to 51 information security leaders. Some of them are well-known industry veterans with decades of security industry experience, such as Mary Ann Davidson of Oracle, Chris Hadnagy, Andrew Hay, Joe Krull and Jake Williams. Others are relatively new to the industry. A few of the leaders, though, are relatively new to the security space. 


The authors pick the minds of these individuals, who share their industry insights, advice and stories of how they got into the field.


Some of the questions they asked were: 

  • Do you believe there is a massive shortage of career information security professionals?
  • What’s the most important decision you’ve made or action you’ve taken to enable a business risk?
  • What’s something that you struggle with as a leader, and how do you overcome that?
  • How do you lead your team to execute and get results?
  • Do you have any favorite books to recommend for people who want to lead cybersecurity teams?


The first question was of particular interest to me as my recent article, The fallacy of the information security skill shortage, addressed that very issue. Some of the leaders agreed to that notion, including David Kennedy, Robert M. Lee, Jake Williams and a few others. But like this question and others asked, there was not a universal agreement between the other leaders.


If there was significant agreement, it was in the area of a favorite book. While many books were mentioned, two stood out: The Phoenix Project by Gene Kim, Kevin Behr and George Spafford‎ in addition to How to Measure Anything in Cybersecurity Risk by Richard Seiersen and Douglas W. Hubbard.


Information security is not monolithic, and the career paths within the industry are similarly diverse. The views expressed in the book show the many ways these individuals took, and are considered, within their information security journey. 


While not a management book per se, information security managers should read the book to understand that the information security journey is not a single path but a very varied one. To lead a capable security team means breaking out of some preconceived notions and working with a diverse workforce, with different ideas, personalities and approaches. 


There are numerous CISSP prep guides, all focusing on the theoretical aspects of information security. Tribe of Hackers Security Leaders is a very practical book, with real-world stories and practical advice. 

For those looking to get into the field (which as some of the leaders noted is not necessarily so easy), or for those already in it, this is an excellent book that provides wisdom from some legendary information security leaders.

Ben Rothke

Senior Information Security Manager, Tapad

C-Suite View

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community