Category: books

“Fire Doesn’t Innovate” by Kip Boyle (Book Review)

I hate reviewing books by people I know, because I am a picky reader, and if you can’t say anything nice, don’t say anything at all. I also tend to hate management books, because they often substitute jargon for crisp thinking. So I am surprised, but, here I am, writing a review of Kip Boyle’s “Fire Doesn’t Innovate.”

I’m giving little away by saying the twist is that attackers do innovate, and it’s a surprisingly solid frame on which Kip hangs a readable and actionable book for executives who need to make cybersecurity decisions. And it doesn’t fall into the jargon trap either in security or management.

It is not a book for the CSO. It is a book for executives, including, but not limited, to CEOs. They need to understand why cyber risks aren’t like fire risks, they need to drive action by their company, and they don’t need, want, or have the time to be able to talk about the difference between Fancy Bear and SQL injection.

In this, it is less detailed by far than Peter Singer and Allan Friedman’s “Cybersecurity and Cyberwar.” That book is intended to act as a primer and get people ready for deeper learning. “Fire” is much more for the busy executive who needs to know what questions to act, what good answers look like, and what to tell their team to go do.

The book is organized into two major parts. Part I is basic cyber ‘hygiene’ for the exec, including actionable steps like turn on updates and backups and two factor auth. (I disagree with his blanket advice to never pay ransoms — getting your business back is probably better than losing it.) Part II is what to do. It’s organized around the NIST CyberSecurity Framework, and makes it actionable. The action is in three parts: assess, plan and execute, and do so on an annual schedule.

Part of me burns with the urge to scream “that’s too simplistic!” But I know that for a lot of executives, that’s what they need as they get started. The nuance and complexity that we can bring to their problem leads to a feeling that cyber is overwhelming and impossible. So they do nothing. There’s an important lesson and model here for those writing ‘how to be safe on the internet’ guidance, and maybe there’s a second book here for normal folks.

There’s another trap that Kip avoids, and that is the book that tells you about but doesn’t reveal the secret sauce. Those books are essentially ads for the thing the author has to sell, and the book tells you enough to get you to pick up the phone. “Fire” doesn’t do that. It lays out, specifically, here’s the questions to ask. Here’s the email to frame the project. Here’s how to interpret results. It’s a brave move, but one that I think is wise. (My threat modeling book tells you what you need to know, and people call me looking for help. The coaching, the “here’s the nugget you need,” and the comparisons all make for a good business.)

I don’t know of another book at this level. Buy it for the execs you know.

Disclosure: I bought a copy of the Kindle Edition, and Kip gave me a signed copy of the paperback. He says nice things about me in the acknowledgements.

Structures, Engineering and Security

J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers. Buildings don’t fall down because they’re engineered from a set of materials to meet the goals of carrying appropriate loads. Those materials have very different properties than the ways you, me, and everything from grass to trees have evolved to keep standing. Some of these structures are rigid, while others, like tires, are flexible.

The meat of the book, that is, the part that animates the structural elements, really starts with Robert Hooke, and an example of a simple suspension structure, a brick hanging by a string. Gordon provides lively and entertaining explanations of what’s happening, and progresses fluidly through the reality of distortion, stress and strain. From there he discusses theories of safety including the delightful dualism of factors of safety versus factors of ignorance, and the dangers (both physical and economic) of the approach.

Structures is entertaining, educational and a fine read that is worth your time. But it’s not really the subject of this post.

To introduce the real subject, I shall quote:

We cannot get away from the fact that every branch of technology must be concerned, to a greater or lesser extent, with questions of strength and deflection.

The ‘design’ of plants and animals and of the traditional artefacts did not just happen. As a rule, both the shape and the materials of any structure which has evolved over a long period of time in a competitive world represent an optimization with regard to the loads which it has to carry and to the financial and metabolic cost. We should like to achieve this sort of optimization in modern technology; but we are not always very good at it.

The real subject of this post is engineering cybersecurity. If every branch of technology includes cybersecurity, and if one takes the author seriously, then we ought to be concerned with questions of strength and deflection, and to the second quote, we are not very good at it.

We might take some solace from the fact that descriptions of laws of nature took from Hooke, in the 1600s, until today. Or far longer, if we include the troubles that the ancient Greeks had in making roofs that didn’t collapse.

But our troubles in describing the forces at work in security, or the nature or measure of the defenses that we seek to employ, are fundamental. If we really wish to optimize defenses, we cannot layer this on that, and hope that our safety factor, or factor of ignorance, will suffice. We need ways to measure stress or strain. How cracks develop and spread. Our technological systems are like ancient Greek roofs — we know that they are fragile, we cannot describe why, and we do not know what to do.

Perhaps it will take us hundreds of years, and software will continue to fail in surprising ways. Perhaps we will learn from our engineering peers and get better at it faster.

The journey to an understanding of structures, or why they do not fall down, is inspiring, instructive, and depressing. Nevertheless, recommended.

Books which are worth your time: Q4



  • Void Star, Zachary Mason. The best William Gibson novel in a while. The one with 51 reviews has 3.9 stars, while the one with 26 only gets 3.7. Other than their Amazon ratings, I am unsure of the difference. Ms. O’Neil would be appalled, or perhaps amused.

What have you read lately that’s worthwhile?

Reflective Practice and Threat Modeling (Threat Model Thursday)

Lately, I’ve been asking what takes threat modeling from a practice to a mission. If you’re reading this blog, you may have seen that some people are nearly mad about threat modeling. The ones who say “you’re never done threat modeling.” The ones who’ve made it the center of their work practice. What distinguishes those people from those who keep trying to teach developers about the difference between a hactivist and a script kiddie?

A book I’ve read recently, “The Reflective Practitioner: How Professionals Think In Action,” gives some useful perspective. It’s about how practitioners use the cases and issues before them to grapple with questions like ‘is this the best way to approach this problem?’ It’s not an easy read by any stretch. It engages in analysis of both what makes a profession, and how several professions including architect, psychologist, and town planner engage with their work.

They may ask themselves, for example, “What features do I notice when I recognize this thing? What are the criteria by which I make this judgment? What procedures am I enacting when I perform this skill? How am I framing the problem that I am trying to solve?” Usually reflection on knowing-in-action goes together with reflection on the stuff at hand. There is some puzzling, or troubling, or interesting phenomenon with which the individual is trying to deal. As he tries to make sense of it, he also reflects on the understandings which have been implicit in his action, understandings which he surfaces, criticizes, restructures, and embodies in further action. It is this entire process of reflection-in-action which is central to the “art” by which practitioners sometimes deal well with situations of uncertainty, instability, uniqueness, and value conflict.

Those seeking to advance their practice of threat modeling would do well to pick up a copy and use it as a lens into reflecting on their practice of the arts.

After the jump, I’m going to quote more bits that struck me as I read, and offer some reflection on them.

Continue reading

Security Engineering: Computers versus Bridges

Joseph Lorenzo Hall has a post at the Center for Democracy and Technology, “Taking the Pulse of Security Research.” One part of the post is an expert statement on security research, and I’m one of the experts who has signed on.

I fully support what CDT chose to include in the statement, and I want to go deeper. The back and forth of design and critique is not only a critical part of how an individual design gets better, but fields in which such criticism is the norm advance faster.

A quick search in Petroski’s Engineers of Dreams: Great Bridge Builders and the Spanning of America brings us the following. (The Roeblings built the Brooklyn Bridge, Lindenthal had proposed a concept for the crossing, which lost to Roebling’s, and he built many others.)

In Lindenthal’s case, he was so committed to the suspension concept for bridging the Hudson River that he turned the argument naturally and not unfairly to his use. Lindenthal admitted, for example, that it was “a popular assumption that suspension bridges cannot be well used for railroad purposes,” and further conceded that throughout the world there was only one suspension bridge then carrying railroad tracks, Roebling’s Niagara Gorge Bridge, completed in 1854, over which trains had to move slowly. However, rather than seeing this as scant evidence for his case, Lindenthal held up as a model the “greater moral courage and more abiding faith in the truth of constructive principles” that Roebling needed to build his bridge in the face of contemporary criticism by the “most eminent bridge engineers then living.” In Lindenthal’s time, three decades later, it was not merely a question of moral courage; “nowadays bridges are not built on faith,” and there was “not another field of applied mechanics where results can be predicted with so much precision as in bridges of iron and steel.” (“Engineers of Dreams: Great Bridge Builders and the Spanning of America,” Henry Petroski)

Importantly for the case which CDT is making, over the span of thirty years, we went from a single suspension bridge to “much precision” in their construction. That progress happened because criticisms and questions are standard while a bridge is proposed, and if it fails, there are inquests and inquiries as to why.

In his The Great Bridge: The Epic Story of the Building of the Brooklyn Bridge, David McCullough describes the prolonged public discussion of the engineering merits:

It had been said repeatedly by critics of the plan that a single span of such length was impossible, that the bridge trains would shake the structure to pieces and, more frequently, that no amount of calculations on paper could guarantee how it might hold up in heavy winds, but the odds were that the great river span would thrash and twist until it snapped in two and fell, the way the Wheeling Bridge had done (a spectacle some of his critics hoped to be on hand for, to judge by the tone of their attacks).

The process of debating plans for a bridge strengthen, not weaken, the resulting structure. Both books are worth reading as you think about how to advance the field of cybersecurity.

Image credit: Cleveland Electric, on their page about a fiber optic structural monitoring system which they retro-fitted onto the bridge in question.

Worthwhile books, Q3

Some of what I’ve read over the past quarter, and want to recommend each of the books below as worthy of your time.


  • The Internet of Risky Things, Sean Smith. This was a surprisingly good short read. What I gained was an organized way of thinking and a nice reference for thinking through the issues of IOT. Also, the lovely phrase “cyber Love Canal.”
  • American Spies, Jennifer Stisa Granick. Again, surprisingly good, laying out with the logical force that really good lawyers bring, explaining both sides of an issue and then explaining the frame in which you should understand it.
  • Saving Bletchley Park, Sue Black. (Title links to publisher, who sells ebook & print, or you can go to Amazon, who only sells the hardback.) The really interesting story of the activism campaign to save Bletchley Park, which was falling apart 20 years ago. Dr. Black is explicit that she wrote the book to carry the feel of an internet campaign, with some stylistic bits that I found surprising. I was expecting a drier style. Don’t make my mistake, and do read the book. Also, visit Bletchley Park: it’s a great museum.

Nonfiction, not security


  • N. K. Jemisin’s Broken Earth Series. Outstanding writing, interesting worldbuilding, and the first two books have both won Hugos. First book is “The Fifth Season.” Bump it up in your queue.
  • The Rise and Fall of D.O.D.O, Neal Stephenson and Nicole Galland. I’m not (yet) familiar with Galland’s work, much of which seems to be historical fiction. This fairly breezy and fun time travel read, much less dense than most of Stephenson’s recent books.

Previously: Q2.