-r---: Investigate
Investigate (verb): to examine something carefully, esp. to discover the truth about it. -Cambridge Dictionary
In these uncertain times, we frequently must be warier and warier of the pernicious information that surrounds us. We must look closely at the sources we trust, and ask ourselves what may be missing from the paragraphs we read. The duty to scrutinize news and findings now falls to us, so we must be curious and investigate. For most in the information security field, a strong curiosity will carry you much further than a five-letter acronym after your name, but you must be able to hone and direct that curiosity. Asking the right questions of the right data is difficult, and knowing where to start can often be like standing on the edge of a cliff in the dark.
When we investigate anything, firewall logs, blurry photographs, or even a phishing link, we build a story in our head and sometimes fly past the mental checkpoints that take us from one conclusion to another. One of the best ways I’ve found to understand the logic behind the research, is to look at another person’s work. Following another investigation piece by piece forces me to slow down and interpret the details and mental models used to reach conclusions. Plus, these are often truly gripping stories that have been thrust into the public spotlight from the seedy underbelly of society we love to ignore.
Here are three books that exemplify a master class in investigation:
Catch and Kill - Ronan Farrow
Catch and Kill is a harrowing tale of systemic sexual harassment, abuse, and manipulation. Farrow captures the #metoo era in vivid detail and presses society and the establishment to capitulate to the overwhelming evidence of brutality and abetment. Catch and Kill provides a view into the holistic journalistic process and gave me the opportunity to question the points at which I cease my own investigations. There are several elements involving digital privacy and safety in the book as well, which lends further proof to how pivotal information security and privacy advocacy work is in all worlds.
Sandworm - Andy Greenburg
A must-read for anyone in the information security. Greenburg brings to life the great cyber threat that keeps us all up at night: Russia. This book was both familiar and out of reach for me. I have never worked in the NatSec community and likely will never experience the level of threat actors and attacks discussed in Sandworm. Nonetheless, the response and research process detailed by well known community members felt like home. I loved being able to hear other’s technical assessments and approaches to addressing this very real threat. Greenburg lays forth incredible detail that should serve as a case study for information security writing and reporting for years to come. This is one book I will be gifting to all my employees in the future.
Bad Blood - John Carreyrou
The intersection of technology and health is more and more like the Wild West every day. Threat actors go after hospitals, ransoming MRI machines, and stealing patient data. But what happens when the threat comes from inside the house? Carreyrou paints a fascinating picture of corporate greed, sociopaths, and big tech backroom deals. I remember following this story in real-time through The Wall Street Journal with Carreyrou at the helm, and Bad Blood pulls the complete timeline together. Once again, this book demonstrates journalistic excellence and gives a reader tangible bread crumbs to follow. I devoured this in less than 48 hours and to this day, still cannot believe how Elizabeth Holmes was able to hoodwink some of the industry’s best and brightest.
I am always up to discuss any recommendations or your experiences with the recommendations. Have something you think I should read or an exercise I should try? Email at lauren@laurenproehl.com or reach out on Twitter - @jotunvillur!