I’ve started a curated reading list for InfoSec engineers.

I was inspired by Mark McGranaghan’s Services Engineering reading list. I really enjoy these kinds of personal, highly-curated reading lists, and for some time I’ve wanted to pull together one of my own.

This is my list, not a definitive one — that is, these are resources I’ve found useful. As such it has some biases:

• It’s oriented towards providers of Software-, Platform-, and Infrastructure-as-a-Service.
• It tends to focus on the human factors aspects of security practice (there’s deeply technical stuff too, just not as much).
• There’s some random stuff that’s not explicitly “about InfoSec”, but that I’ve nonetheless found extremely useful in thinking about InfoSec. Dekker’s Field Guide to Understanding ‘Human Error’ is a good example of this kind of resource.

It’s incomplete — first because I’ve not yet sifted through my 10+ years of bookmarks for everything I should add, and second because I intended for this to be a living resource, something I’ll update as I find new things.

My co-worker Eric Mill recently brought up the topic of psychological safety. Referencing a study by Google that points to psychological safety as a key factor in successful teams, Eric wrote:

Maybe these situations sounds familiar to others (they definitely both are to me):

Did you feel like you could ask what the goal was without the risk of sounding like you’re the only one out of the loop? Or did you opt for continuing without clarifying anything, in order to avoid being perceived as someone who is unaware?