Hide table of contents

Ahoy! Our community has become acutely aware of the need for skilled infosec folks to help out in all cause areas. The market conditions are that information security skilled individuals are in shorter supply than demand. This book club aims to remedy that problem.

I have been leading the Chrome Infrastructure Security team at Google for 3 years, have 11 years of infosec experience, and 24 years of career experience. My team’s current focus includes APT and insider defense. I built that team with a mix of folks with infosec skills—yes—but the team is also made up of individuals who were strong general software engineers who had an interest in security. I applied this book and a comprehensive, 18 month training program to transition those folks to infosec and that has been successful. Reading this book as a book club is the first 5 months of that program. So, while this book club is not sufficient to make a career transition to infosec, it is a significant first step in doing so.

The goal of this group and our meetings is to teach infosec practices, engineering, and policies to those who are interested in learning them, and to refresh and fill in gaps in those who are already in the infosec focus area.

Find the book as a free PDF or via these links. From the book reviews:

This book is the first to really capture the knowledge of some of the best security and reliability teams in the world, and while very few companies will need to operate at Google’s scale many engineers and operators can benefit from some of the hard-earned lessons on securing wide-flung distributed systems. This book is full of useful insights from cover to cover, and each example and anecdote is heavy with authenticity and the wisdom that comes from experimenting, failing and measuring real outcomes at scale. It is a must for anybody looking to build their systems the correct way from day one.

This is a dry, information-dense book. But it also contains a comprehensive manual for how to implement what is widely considered the most secure company in the world.

Audience

Any software engineer who is curious about becoming security engineering focused or anyone looking to up their existing infosec career path. It is beyond the level of new bachelor’s graduates. However, anyone with 3-ish years of engineering practice on real-world engineering systems should be able to keep up. A person with a CompSci masters degree but no hands-on experience might also be ready to join.

Openness

Directed to anyone who considers themselves EA-aligned. Will discuss publicly known exploits and news stories, as they relate to the book contents, and avoid confidential cases from private orgs. Will discuss applicability to various aspects of EA-aligned work across all cause areas.

Format, length, time and signup

Meet for 1 hour on Google Meet every 2 weeks where we will discuss 2 chapters. ~11 meetings over 22 weeks.

The meetings will be facilitated by me.

The discussion format will be:

  1. The facilitator will select a theme from the chapters, in order, and then prompt the participants to offer their perspective, ensuring that everyone has ample opportunity to participate, if they choose.
  2. Discussion on each theme will continue for 5-10 minutes and then proceed to the next theme. Participants should offer any relevant, current news or applicability to cause areas, if time permits.
  3. The facilitator will ensure that discussion is relevant and move the conversation along to the next topic, being mindful of the time limit.
  4. Any threads that warrant more discussion than we have time for in the call will be taken to the Slack channel for the book club (see form below for invite) where participants can continue the discussion and ask more questions about specific implementation details and how to effect that change in an organization.

Dates & Time: Starting date: Saturday April 1, 2023 at 2PM PDT. (timezone conversion). We have core attendees signed up across US, UK and AUS currently; apologies if this does not overlap with your timezone.

Signup: Signup here on this form to receive an invite to the Slack channel and add the event calendar (alternative iCal format) to your own calendar. Changes to schedule will be reflected there.

Special thanks to Wim van der Schoot for the impetus to organize this book club.

Comments15
Sorted by Click to highlight new comments since: Today at 9:54 AM

Seems like a pretty incredible opportunity for those interested! What level of time commitment do you expect reading and understanding the book to take, in addition to the meetings?

Each set of two chapters we will read will take between 1-2 hours to read every two weeks. That's it.

Are you aware of the existence of  EA Gather Town ? An always-on virtual meeting place for coworking, connecting, and having both casual and impactful conversations. 

It could be a good place to host the meetings.

Reading this book as a book club is the first 5 months of that program.

5 months of.. full time work? Something else?

 

If I understand correctly, the book club is 11 meetings, where each meeting is 1 hour of video plus 1-2 hours of reading beforehand.

I'm confused about how this adds up, almost to the point where I wonder if you were testing us on purpose ;)

This is the first 5 months of theory in the program. There's also practice and the new team members also shadowed security reviews. So, some self-practice and thinking about security exploits and applicability is expected to occur in parallel to the book club to get the full benefit.

I like this initiative! Just a suggestion: On the Google Form, it would help if the questions "Describe briefly your technical background" and "Describe briefly your involvement in Effective Altruism" were "Paragraph" inputs instead of "Short answer."

Fixed, thank you for noting.

Could you please share more details on which parts of the curriculum would be inaccessible to recent graduates? From the outline of the book alone, it's hard to estimate the level of technical depth needed.

Unfortunately, all of it. The discussion will be fast-moving and talk about reifying the abstract ideas into concrete, production systems and organization structure. It will be out of anyone's skill set who hasn't had worked with real production systems and technical orgs for a few years.

Would it be possible to organise sessions in other timezones if there is demand for it? Like Europe, India,...

Yea, depending on success, we might split the next round in two to get global coverage.

Would also be interested how it went and if there are plans for a second round.

How did the first run go? Are you planning to do more groups?