TL;DR: Rick Howard argues that cybersecurity teams have traded depth for speed, relying on summaries, bullet-point content, and AI digests instead of sustained reading, according to Bitwarden’s coverage of his keynote at the 2025 Open Source Security Summit. The editorial point is that security judgement, not content volume, is what programme maturity depends on.
NHIMG editorial — based on content published by Bitwarden: Rick Howard’s keynote on why cybersecurity professionals should read deeply
By the numbers:
- The CyberCanon has inducted just over 50 books after 15 years.
- 2014, 014, Howard created the CyberCanon Project as an all-volunteer nonprofit.
Questions worth separating out
Q: How should security teams use summaries without weakening identity governance decisions?
A: Use summaries for orientation, not for control design.
Q: Why does deep reading matter in NHI governance?
A: Deep reading matters because NHI controls are highly context dependent.
Q: What do security teams get wrong when they rely too much on AI digests?
A: They often mistake compression for understanding.
Practitioner guidance
- Mandate source-level review for policy changes Require architects and control owners to read the full source material before changing identity standards, access rules, or governance criteria.
- Separate triage reading from decision reading Allow short-form digests for awareness, but require deep reading before approving changes to NHI lifecycle, PAM scope, or access review design.
- Capture reading notes as control evidence Ask teams to document what was learned, what assumptions were tested, and what did not apply to your environment.
What's in the full article
Bitwarden's full post covers the operational detail this post intentionally leaves for the source:
- Rick Howard's full keynote framing and the CyberCanon selection process behind the reading list
- The specific books he recommends and why each one changed how practitioners think about cybersecurity
- The historical examples he uses, including the 75-cent incident in The Cuckoo's Egg and the blockchain tracing case in Tracers in the Dark
- The broader reading strategy he recommends for professionals trying to build deeper security judgement
👉 Read Bitwarden's keynote coverage on why deep reading still matters in cybersecurity →
Deep reading in cybersecurity: what teams lose when they skim?
Explore further
Deep reading is a governance control, not a personal preference. Cybersecurity programmes that reward speed over comprehension end up with weaker control selection, weaker escalation judgement, and weaker root-cause analysis. That is especially true in identity security, where the same word can describe very different subjects across human IAM, NHI, and autonomous systems. Practitioners should treat reading depth as part of control quality.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: How can practitioners tell whether their team is reading deeply enough?
A: A useful test is whether the team can explain the mechanism, the assumptions, and the limits of a recommendation in its own words. If it cannot, the team is probably consuming information faster than it is understanding it.
👉 Read our full editorial: Deep reading remains a cybersecurity control, not a luxury