General security

The top 15 must-have books in InfoSec

Daniel Brecht
June 16, 2018 by
Daniel Brecht

An essential part of building information security (InfoSec) professionals' expertise is played by hands-on experience and years of activity. However, a solid theoretical foundation is also essential to acquire the solid knowledge required to keep up with technology and the evolutions of threats and hackers' modalities.

Computer security sourcebooks, handbooks, or technical / reference textbooks are needed both to build up skills already attained and to stay up to date with the latest trends, security threats, and technologies. There are thousands of books available for purchase to InfoSec professionals; some are suitable for those who want to consolidate their knowledge, and some are for beginners looking to verify their InfoSec experiences, to find his or her niche or fill skills gaps to access new InfoSec job roles.

In this ever-evolving field, technical books can quickly become outdated, and yet InfoSec pros are still relying often on them for clarifications or to discover the techniques, tools, and methodologies used in the trade. In fact, teachings or training cannot match the in-depth, comprehensive details offered by a good InfoSec book, provided true experts in the field author it.

There is a large amount of reading material out there online and in stores or libraries for those in the occupation at any level of IT Security or cybersecurity proficiency. With that in mind, here is a shortlist compiled in no particular order of 15 must-have books for InfoSec professionals. This selection of books is for intermediate and beginner skill levels and is suitable for those that are preparing for any number of Careers in IT Security. Although some might have been written a few years ago, they are still the favorites of many professionals and students.

Here are 15 must-have information security books:

Security in computing (5th Edition)

This is a book published in 2015 and authored by Charles P. Pfleeger an independent consultant specialized in computer and information system security and who was also chair of the IEEE Computer Society Technical Committee on Security and Privacy, and Shari Lawrence Pfleeger who is the Research Director for Dartmouth College's Institute for Information Infrastructure Protection. Both authors are recognized experts in their fields.

Security in Computing offers complete coverage of all aspects of computer security, including users, software, devices, operating systems, networks, law, and ethics. The 5th edition also included Cloud Computing, the Internet of Things (IoT), and Cyberwarfare. The book gives readers a solid foundation and, in fact, is widely used as part of the recommended textbook for many college IT courses nationwide.

Crafting the InfoSec playbook: Security monitoring and incident response master plan (1st Edition)

This is a book also published in 2015 and authored by members of Cisco's Computer Security Incident Response Team (CSIRT): Jeff Bollinger, Brandon Enright, and Matthew Valites.

Crafting the InfoSec Playbook shows how to put an incident response plan into action by developing strategy, policies, technique, and architecture, and not just by employing security tools. Although already three-years-old, this book is still a more than valid reference textbook for professionals tasked with threat analysis and security monitoring.

Defensive security handbook: Best practices for securing infrastructure (1st Edition)

This book was published in 2017 and authored by Lee Brotherston, a Senior Security Advisor, and Amanda Berlin, an Information Security Architect. Lee has spent more than a decade in Information Security, and Amanda has specialized in different areas of technology and sectors providing infrastructure support, triage, and design.

Defensive Security Handbook takes a "defense-in-depth" approach to maintain security effectively and provides step-by-step instructions for dealing with a specific issue with tools or applying a set of processes and protective measures. The book was written with the purpose of providing a sort of Security 101 handbook that can provide ideas, walk-throughs, common practices, lesson-learned stories to help professionals improve the security posture of any organization and various network configurations efficiently and cost-effectively.

Information Assurance Handbook: Effective Computer Security and Risk Management Strategies (1st Edition)

This is a book published in 2014 and authored by Corey Schou, the director of the Informatics Research Institute and the National Information Assurance Training and Education Center (NIATEC), and Steven Hernandez, the chief information security officer for the Office of Inspector General at the U.S. Department of Health and Human Services (HHS).

Information Assurance Handbook covers basic IA principles and concepts and is an all-in-one source for the tools and techniques required to prevent security breaches and other information assurance issues. The book is a great starting reference for professionals dealing with information assurance in a variety of sectors, from healthcare to retail to government.

Network security through data analysis: From data to action (2nd Edition)

This book, published in 2017, was authored by Michael S Collins, the Chief Scientist for RedJack LLC., a company that aims at protecting networks against attacks with the help of data analysis. As a security researcher, Michael Collins shows InfoSec personnel the latest techniques and tools for collecting and analyzing network traffic datasets.

Network Security through Data Analysis

examines how traditional intrusion detection is no longer effective for the newest threats and introduces the latest trends in examining network traffic and methods for collecting and organizing meaningful data for analysis. It covers, as well, a collection of tools, sensors, methods, and techniques that are more efficient nowadays to acquire threat intelligence.

How to measure anything in cybersecurity risk (1st Edition)

This is a book published in 2016 and authored by Douglas W. Hubbard, an expert in the field of measuring intangibles, risks, and value, especially in IT, and is co-authored by Richard Seiersen, a CISO, who is a speaker at industry and corporate events (e.g., RSA Conference). The authors approach cybersecurity from a different perspective and point out the limitations of some risk management practices.

How to Measure Anything in Cybersecurity Risk offers, then, ways to discover holes in the protection layers and new ways and methods to increase security by improving quantitative processes, approaches, and techniques to address the risk.

IT security risk control management: An audit preparation plan (1st Edition)

This book, published in 2016, is authored by Raymond Pompon, a Principal Threat Researcher Evangelist with F5 labs, who is frequently asked to speak as a subject matter expert on Internet security issues. He has been directly involved in several major intrusion cases.

IT Security Risk Control Management

offers a step-by-step approach that can help professionals prepare for common audits while building and implementing an effective security program with customized security controls and non-technical measures while involving management and the entire organization. The strength of this book is its real-world approach with practical advice in dealing with all levels of an organization that can help any professionals handle security in their unique environment.

Enterprise cybersecurity: How to build a successful cyberdefense program against advanced threats (1st Edition)

This is a book published in 2015 and authored by recognized cyber security experts Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, and Abdul Aslam. Together they have decades of experience in the field and offer a comprehensive approach to building and managing an enterprise cybersecurity program by employing new defense operating concepts.

Enterprise Cybersecurity has a thorough but also simple and real-world approach and is a good reference for professionals creating, managing, and assessing security programs. It provides ideas and tips for writing effective policies and, when needed, offers clear formulas and explanatory graphics.

Security controls evaluation, testing, and assessment handbook (1st Edition)

This handbook published in 2015 is authored by Leighton Johnson, an expert in the field of IT security and digital forensics who will also be a speaker at The Techno Security & Digital Forensics Conference 2018.

Security Controls Evaluation, Testing, and Assessment Handbook provides guidance and techniques and offers a practical walk-through approach to evaluating and testing various computer security controls in IT systems.

Cyber security basics: Protect your organization by applying the fundamentals (1st Edition)

This is a book published in 2016 and authored by Don Franke who has worked in information technology for over 20 years and is active in teaching and writing about various cybersecurity topics.

The strength of Cyber Security Basics is the conciseness and ease in going over fundamental InfoSec concepts and the application of protection methods and controls. Compact, with its only 100 pages, is a good overview for true beginners and offers an approach to implementing security controls based on maturity. The author helps to determine the maturity of a security program by taking into consideration its age, available resources, management support and indicates which security controls are appropriate for each level and which would be overkill.

Fundamentals of information systems security (3rd Edition)

This 2016 book is authored by David Kim, President and Chief Security Officer, Security Evolutions, Inc. and Michael G. Solomon, Ph.D., CISSP, PMP, CISM, Solomon Consulting Inc. Each of them is an expert in their field.

Fundamentals of Information Systems Security is a revised and updated book (now in its 3rd ed.) with the latest data in the field, containing info on new risks, threats, and vulnerabilities as well as content on APT attacks like ransomware and crypto locker, plus "Internet of Things" risks and privacy issues. What's more, there is a section on InfoSec standards, education, professional certifications, as well as compliance laws and standards updates, including FISMA, NIST SP800-171, and PCI DSS v3.2.

Hacking the hacker: Learn from the experts who take down hackers (1st Edition)

This is a book published in 2017 and authored by Roger A. Grimes, CISSP, CEH, that has written more than 10 books and over 1000 national magazine articles on computer security, specializing in preventing hacker and malware attacks.

Hacking the Hacker features an interesting introduction to the hacking world by interviewing 26 white hat hackers and security researchers that describe what their role is and what does it really involves. This behind-the-scenes approach makes it an interesting read also for non-technical professionals.

Practical malware analysis: A hands-on guide to dissecting malicious software

Surprisingly current for a book written in 2012, Practical Malware Analysis is a great starting point for anyone interested in malware analysis. The book covers tools, techniques, and methods for countering malware tricks through technical explanations but also hands-on labs and a step-by-step, practical approach.

Written by Michael Sikorski, a consultant that has authored courses in malware analysis and has taught courses to FBI and NSA personnel, and Information Assurance Expert for the Department of Defense, Andrew Honig, this is not a book for absolute beginners and is calling for an update; however, it is still a must-have resource for professionals interested in reverse engineering and metadata analysis.

Digital Resilience: Is Your Company Ready for the Next Cyber Threat?

Authored by Ray Rothrock, a cybersecurity expert, who is the CEO of RedSeal (an American cybersecurity analytics company) since February 2014, this book was written in 2018 and gives a non-technical overview for management, leaders, and anyone interested in cybersecurity of the current digital landscape, its threats and how to build resilience.

The author also runs through some of the latest, renowned breaches and attacks including the 2013 Target attack, the 2016 Yahoo data breach and the 2017, "WannaCry" ransomware offensive. He shows what went wrong and what can be done to prevent and fix issues making this work a great text for building awareness.

Bulletproof SSL and TLS: Understanding and deploying SSL/TLS and PKI to secure servers and web applications

For a more technical option, Bulletproof SSL and TLS offer a good mix of theory and controls implementation advice. Written by security researcher and engineer Ivan Ristic who is often a speaker at renowned security conferences, this book was fully updated in 2017 and covers SSL and TLS encryption for secure servers and web applications.

The intended audience varies as it offers something for many professional figures: it highlights risks for IT security professionals, shows how to deploy systems securely for system administrators, and gives tips to design secure web applications for developers. It is also, however, a great text for those who want to know a bit more of the history of PKI and SSL/TLS real-world implementation and apply their use which cyber-attacks have prompted the development of these technologies.


There are thousands of books available covering the cybersecurity realm from many different angles. This list includes books with an academic perspective that serve as good references for professionals with different levels of expertise as well as books written by industry experts that give an insider's perspective that can help build awareness also in non-technical, managerial professionals.

Of course, there are many more InfoSec resources (books, audiobooks, e-books and e-magazines) to name, and whether you are already an InfoSec professional or a newcomer in IT Security or cybersecurity, books are essential resources to be applied towards a nice-paying career (see Average CISM Salary 2018, for example).

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.