Cyber Canon Candidate Book Review: A Data-Driven Computer Security Defense: THE Computer Security Defense You Should Be Using

Oct 25, 2019
5 minutes

Cyber Canon Book Review: “A Data-Driven Computer Security Defense: THE Computer Security Defense You Should Be Using,” 2017, by Roger A. Grimes

Book reviewed by: Paul Calatayud

Bottom Line: I recommend this book for the Cybersecurity Canon Hall of Fame.


This book is a must-read for all network defenders. First and foremost, it book is based on the author’s real-world experiences as a cybersecurity consultant. It provides valuable insights into why companies of any size struggle to address their top risks. 

Simply put, they don’t know which risks are the most important, and often this means all findings, vulnerabilities and threats are treated equally. They employ too many security technologies and spread their employees’ time thin, resulting in defenders ineffectively handling real-world threats. 

If you’re looking for a new approach to disrupt and improve your cybersecurity program, this book is a must-read. 

Companies are struggling to implement cybersecurity operations and strategies that can make positive impacts and make cybersecurity efforts more effective. Often, organizations learn their biggest security risks, but fail to take action in a timely manner. Network defenders spend time on too many top priorities or pet projects coming from leadership. 

If you had one project you set out to accomplish this year, what would that be? How would you know you’re addressing the top risks to the company? Modern cyber security programs need a data-driven approach to ensure focus on the most impactful initiatives. In some cases, this means stopping non-essential projects in order to make the greatest impact in your network defense programs. Sounds difficult, but data can be your compass. 

Security programs need to focus on ensuring they have the right technologies to generate the right level of data. There are several key ways to approach a data-driven cybersecurity approach:


  • Metrics – Data analysis efforts need to focus on your top impacts, but also your top assets. Not all risks are equal.
  • Data Gaps – Do you have the right level of data in order to make the right decisions?
  • Data Management – Data is king, and as such it needs to be properly managed. 
  • Threat Intelligence Needs a Goal – Focus on answering one question above all: What is the number one way I will be attacked?
  • Discernment – Some data is good, but other data can be bad.


Organizations struggle with prioritization. The result is, network defenders are spread thin and cannot apply the proper time and focus on the most impactful, beneficial work efforts. To make it worse, cyber leaders may change directions, or upper management may read something in the news and want that risk to be addressed. It’s true that awareness of all potential risks that could occur is very important, but without prioritization, awareness can become a pitfall. In this example, the news article was very impactful to the organization affected, but does that translate into the most critical risk and threat to your organization? 

The overall goal of a data- driven cyber program is to not have to make decisions about which risks are not worth working on and which deserve time and effort. It’s about picking the most impactful, beneficial projects and effects, aligned to the data, in order to deliver a risk-driven, data-driven prioritization to your leadership, board and team.

The case for data is clear, but recognizing the value of data is only the first step in developing a cybersecurity program that can make data-driven decisions for your organization. 

The biggest challenge lies with data itself. Often, organizations have a lot of data. But data quality is not the same as data volume. If your security information and event management (SIEM) software generates millions of events a day, one has to ask the question, how can you manage this? Before you take actions against data, you need to make sure the data you’re collecting has the quality necessary to allow you to make decisions against it. You should: 


  • Filter data that is no longer necessary for action.
  • Look at threat intelligence data differently, making sure it’s addressing the goal of relevance to your company, not just offering a broader look at national state attackers. 


Ultimately, with the right level of data, you are able to take a step back and  look at all your assets, data, business tolerances to taking risks. Then you can approach your board with the two or three projects that will address the real risks that are most likely going to impact the business.

Stop what you are doing and take a different look at how you should be managing your cybersecurity program. You should be able to gather the data you need and formulate priorities and efforts based on the data. It’s a great way to navigate emotions, politics and conflicts that occur within any successful cybersecurity program. The way I like to put it, if you don’t agree with me, you need to convince me otherwise, and you’d better be able to create the data necessary to convince me I need to look at it in a different way. This book is a very real and practical way to help you get into the right frame of mind. 


We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.