Shostack + Friends Blog


Fire Doesn't Innovate by Kip Boyle (Book Review)

An unexpected book review. cover of Fire Doesn't Innovate by Kip Boyle

I hate reviewing books by people I know, because I am a picky reader, and if you can't say anything nice, don't say anything at all. I also tend to hate management books, because they often substitute jargon for crisp thinking. So I am surprised, but, here I am, writing a review of Kip Boyle's "Fire Doesn't Innovate."

I'm giving little away by saying the twist is that attackers do innovate, and it's a surprisingly solid frame on which Kip hangs a readable and actionable book for executives who need to make cybersecurity decisions. And it doesn't fall into the jargon trap either in security or management.

It is not a book for the CSO. It is a book for executives, including, but not limited, to CEOs. They need to understand why cyber risks aren't like fire risks, they need to drive action by their company, and they don't need, want, or have the time to be able to talk about the difference between Fancy Bear and SQL injection.

In this, it is less detailed by far than Peter Singer and Allan Friedman's "Cybersecurity and Cyberwar." That book is intended to act as a primer and get people ready for deeper learning. "Fire" is much more for the busy executive who needs to know what questions to act, what good answers look like, and what to tell their team to go do.

The book is organized into two major parts. Part I is basic cyber 'hygiene' for the exec, including actionable steps like turn on updates and backups and two factor auth. (I disagree with his blanket advice to never pay ransoms — getting your business back is probably better than losing it.) Part II is what to do. It's organized around the NIST CyberSecurity Framework, and makes it actionable. The action is in three parts: assess, plan and execute, and do so on an annual schedule.

Part of me burns with the urge to scream "that's too simplistic!" But I know that for a lot of executives, that's what they need as they get started. The nuance and complexity that we can bring to their problem leads to a feeling that cyber is overwhelming and impossible. So they do nothing. There's an important lesson and model here for those writing 'how to be safe on the internet' guidance, and maybe there's a second book here for normal folks.

There's another trap that Kip avoids, and that is the book that tells you about but doesn't reveal the secret sauce. Those books are essentially ads for the thing the author has to sell, and the book tells you enough to get you to pick up the phone. "Fire" doesn't do that. It lays out, specifically, here's the questions to ask. Here's the email to frame the project. Here's how to interpret results. It's a brave move, but one that I think is wise. (My threat modeling book tells you what you need to know, and people call me looking for help. The coaching, the "here's the nugget you need," and the comparisons all make for a good business.)

I don't know of another book at this level. Buy it for the execs you know.

Disclosure: I bought a copy of the Kindle Edition, and Kip gave me a signed copy of the paperback. He says nice things about me in the acknowledgements.