Top 10 Security, Technology, and Business Books of 2023

The year 2023 felt incredibly disruptive and my annual reading list probably reflects that fact as I sought out books that focused not only on managing risk and chaos, but recognizing and fostering disruptive technology opportunties. Five years ago, I recommended Kevin Roberts’ excellent book “64 Shots” which talked about surviving in a VUCA (volatility, uncertainty, complexity, and ambiguity) world and 2023 definitely qualified as a VUCA year. It was also a year to remember that there are bad actors in every domain and that being in the cultural zeitgeist doesn’t automatically qualify you as a good leader.

The 2023 list is now up on OODA Loop.

My Top 10 Security, Technology and Business books of 2022

Head on over to for my top 10 books of 2022.


Happy 25th Anniversary to the Terrorism Research Center

Today marks the 25th anniversary since the founding of the Terrorism Research Center.  I think I captured the continuing legacy of the TRC well in my 20th anniversary note, so sharing below for broader distribution.

Twenty years. If you had told me twenty years ago that an initiative with two friends over an elk dinner would be measuring its impact in decades, I'd have thought your perspective to be a bit ambitious. Yet here we are, twenty years later and the Terrorism Research Center legacy is still having an immeasurable influence on our homeland and international security.

Many of the TRC initiatives from the past decade are still having a self-sustaining impact as official programs within DHS and other organizations. Nearly 15 years of analysis and insight informed several generations of security professionals, government officials, academics, and the general public. During the most precarious time in counterterrorism history our team was there; ready, able, and willing to join the fight. We innovated new solutions prior to and after September 11th. Solutions like the Responder Knowledge Base, the Terrorism Early Warning Group network, Project Pediatric Preparedness, Terror Web Watch, database, and the Mirror Image and T4 training.

It is rare that I attend an event where I don't get some thanks or recognition from someone who was impacted in a positive way by the TRC. The flag that flew over the U.S. Capital in our honor is one of my most prized possessions.

By my last count we've got TRC alumni in the CIA, FBI, State Department, DHS, DIA, and dozens of other notable organizations. We have former employees, whom after interacting with the First Responder community, were inspired to become First Responders themselves and are now saving lives every day in their communities. We have employees who met at TRC, fell in love, and are now producing TRC offspring. Talk about "next generation"....

I am humbled by the team's past and current accomplishments. I am excited for what you will achieve in the future. At the end of the day, the world is a much better place for the TRC having existed and that is the greatest achievement of all.

Matt Devost

Terrorism Research Center Co-Founder, President and CEO

April 19, 2016


A Letter on the Morality of Using Information Warfare Weapons in 1993

I'm not sure who I wrote this letter to in 1993/94, but I'm guessing maybe my mentor Daniel T Kuehl given the discussion about warfare. I found it while digging up an old report for Bob Gourley.

I'm clearly trying to make sense of the strategic and moral implications of Information Warfare. By the time I wrote my thesis a year later, I had moved away from the crossbow and focused on the Conoidal Bullet and Bushnell's Turtle (early submarine warfare) as applicable analogies.

-----------------1993/94 Letter to unknown ------------

Thinking about the relationship to nuclear weapons. I’ve been thinking about Mueller’s argument about the moral implications of fighting nuclear war or general wars and how he thinks there is a global conscience or lesson that we have learned that says war is bad, repulsive, immoral, etc. I was thinking about how this relates to information warfare, and I think the greatest impact that information warfare will have is that it removes these concerns of morality. Morality is almost always linked with humanistic concerns, but what if you are only waging war against machines. Where does that leave the moral concerns?

However, there is another difference and that is the steps of warfare. Conventional warfare escalates to nuclear warfare. Nuclear war is a worst case scenario. It isn’t very likely that nuclear war would be the precursor to conventional warfare. Where information warfare is concerned, the opposite holds true. Third wave states will fight information warfare first until Third Wave capabilities are destroyed, then you are forced to revert to Industrial Age or conventional warfare. Am I making any sense? I guess I am trying to say that nuclear technology was seen as a next step warfare weapon, what we use after our current techniques have failed, or as a strategic supplement to conventional warfare. This is not the case with autonomous information warfare, since it will be used before conventional warfare. This relates strongly to the realist/liberal debate surrounding information warfare. What is a more effective deterrent to information warfare? Threats or capabilities of counter information warfare or threats of conventional warfare? If it is the later, how do you morally justify your response in a globally enlightened system that Mueller describes, if such a thing exists. How important are these information systems to us? If they are the lifeblood of our Third Wave society, we had better recognize that and prepare to defend them.

I have also been thinking about other weapons and how they relate to information warfare. I think the crossbow might serve as a good analogy, even though it is outdated. The implication being that the crossbow empowered otherwise weak individuals to wage effective warfare against better equipped and better trained knights. If armor might be taken as an analogy for today’s strong conventional military capabilities, then information warfare is the crossbow that launches the arrow that pierces the armor, possibly killing the knight, even though the peasant had no armor or horse of his own. The United States might be seen as the Goliath to David’s stone.

Also any modern “smart” weapons might be useful correlations to draw. Especially those that lower the cost of human life by striking accurately at industrial and strategic targets. Didn’t we feel more moral being able to launch Tomahawks into Baghdad to take out communication centers than carpet bombing the city. Removing the human contact also helps. It is much easier to destroy or kill watching it on a computer screen a few hundred miles away then driving a bayonet through someone’s heart on the front lines.

I still have a lot more I want to read today, but I like to air out thoughts as they occur. Any thoughts or suggestions? Is there a crossbow of conventional warfare that changed the way war was fought, made weak states able to deal deadly blows to stronger military powers?

Top 10 Security, Technology and Business Books of 2019

My annual compilation of best books for the year 2019 is now live at OODA Loop.  I read over 100 books to select the ten best of the year.  Also, please consider subscribing to my weekly email newsletter that tracks the top cyber and technology stories of the week and provides one book review per week as well.  Subscribe at - Thanks!

The Third Decade Problems

Meaningful work is the opus of a successful career and over the past two decades, I’ve had the humbling honor of working impactfully on important issues.  

In the early and mid-90’s, I helped identify the next generation of conflict in the cyber domain and worked to prepare the United States and our Allies for cyber-enabled operations.  I was a founding executive at iDefense which spearheaded the cyber intelligence field and would guide iSight Partners through a critical growth period a decade later. At the Terrorism Research Center we worked tirelessly on counterterrorism related issues and when the world shifted on September 11, we were well positioned to provide valuable training, research, analysis and other critical services.  In 2010, FusionX was created to address the next generation of cyber threats through advanced red teaming and incident response.

By focusing on meaningful issues and accurately predicting future risks, these were also successful entrepreneurial endeavors as each company was acquired.  

As I look toward the next decade of my professional career, it is important that my future entrepreneurial efforts are also tied to meaningful issues.

To that end, I’m starting a new company called OODA LLC.  At OODA, we will be working in the broader advisory market and providing high value to our clients, but we will also be focusing on three big meaningful problems.  The measure of our success will not be constrained to revenue and profits, but by also working towards impactful solutions to three of the next decade’s most pressing challenges.   Here are three areas where we want to make an impact.

Problem One - AI Integrity

We are about to make a great leap forward in disruptive technology in the areas of machine learning and Artificial Intelligence.  Given the potential for autonomy around these technologies it is incredibly important that we develop and adopt them in a manner that allows us to realize the benefits of the technology while also managing the risk.

At OODA we will be working on AI security issues in several significant ways.  For example, what does a FusionX style red team look like for an AI environment?  How do we appropriately test the security profile of an AI system? How do you red team for algorithmic bias or unintended consequences?  An attacker making a change in a machine learning algorithm or the data it learns from can have a disproportionate impact on the future security of that system.  Like interest in a bank account, mistakes in AI and machine learning have a compounding effect.

We will draw upon our extensive cyber experience and expertise, coupled with deep data science expertise, to address these critical issues in the market with what we are calling a Turing Integrity Assessment.

Problem Two - Cybersecurity

Over the past two decades, the cybersecurity industry has accomplished much, but there is still so much work to be done.  While our greatest concerns regarding cyber attacks against critical infrastructure have not yet been realized, it is highly likely that capability and intent will align over the next decade and a consequential attack will happen.  Additionally, attackers have adapted over the past decade to target trust and reduce our confidence in information and institutions. The very information and institutions that serve as the foundation for future prosperity.

We need to make sure that we design security into our next generation of systems and technologies.  It will require a deliberate approach to build security into the design process and ensure we don’t repeat the mistakes we’ve made over previous iterations of systems and networks.  As the impact of technology amplifies, so do the risks and we can’t afford to sleepwalk through the next decade.

We need to actively counter efforts to disrupt our social integrity and diminish our trust not only in technology, but in each other.  This will require new thinking and approaches and dependencies on new technologies like AI.

We need to impose greater costs on cyber attackers by creating a next generation of cyber security solutions and approaches.  We need to make sure those approaches are adopted in the market and a successful cybersecurity ecosystem exists.

As you can imagine, the phone rings with a lot of cyber opportunities and we intend to answer it and continue to apply our experience and expertise in this domain.

Problem Three - Objective Decision Making

Everything we do at OODA will be geared towards enabling intelligent action.  It is, after all, the tagline for the company. When you name a company after Colonel John Boyd’s OODA Loop (Observe Orient Decide Act), enabling decision-making becomes a guiding ethos.

In addition to our consulting, advisory, and intelligence services, we will also be operating several resources geared towards bridging the gap between domain expertise and applied expertise in modern organizations.  

The OODA Loop site

Operating at, this site engages experts, practitioners, and analysts to provide objective research and analysis that can inform your decision making.  We seek to identify and explore those critical security, technology, and business issues that should be on your radar screen.

A core component of the site will be the OODA Network where members are seeking to obtain high-integrity information, intelligence, and insight curated by trusted experts.  This network will also foster collaboration and cooperation to address global issues, identify new trends, and create opportunities.

I’ve always felt that the problems we face are greater than any one organization is going to solve.  It is no coincidence that one of my favorite graphic novels is the Global Frequency, where an network of 1001 experts are asked to respond to global crises. At the Terrorism Research Center we had an expert network and helped build a network of Terrorism Early Warning Groups in 56 cities in the United States (that served as the foundation for the DHS Fusion Centers).  After 20 years, we’re able to optimize the design of an expert network and expect the OODA Network to be very high yield for all involved.

When it comes to global risk issues, none of us is as smart as all of us and our solutions must mirror the network enabled architectures of our threats.  While we don’t expect to make a profit operating this network, membership will not be free to ensure everyone has skin in the game.

CTO Vision

While we intend to track broad technology issues at, we will also be operating an enhanced portal to track enterprise technology and the technology trends and developments taking place in the global technology environment.  My partner Bob Gourley has operated CTO Vision for over a decade and it has been on the forefront of identifying and analyzing emerging technology trends.

The Future Proof event series

Drawing upon our five years of successfully operating the FedCyber conference, Bob and I will be launching a new event series called Future Proof.

Society, technology, and institutions are at the precipice of unprecedented change.  Rapid acceleration of innovation, disruptive technologies and infrastructures, and new modes of network-enabled conflict require leaders to not only think outside the box, but to think without the box.

The Future Proof conference brings together the hackers, thinkers, strategists, disruptors, and creators with one foot in the future to discuss the most pressing issues of the day and provide insight into the ways technology, risk, and opportunity are evolving.  Future Proof is not just about understanding the future, but developing the resiliency to thrive and survive in an age of disruption.

We expect to host one big annual event, coupled with quarterly regional events.

OODA Ventures

Years ago I recognized that I derive much happiness from the success of others and I have mentored or invested in dozens of entrepreneurs over the years.  Through OODA Ventures we will advise, mentor, and invest in early stage cybersecurity and technology start-ups.

We won’t just write checks. We will work with entrepreneurs to mature their market approach and develop momentum for their product or service by leveraging our extensive network. We study and look to understand the environmental, technological, scientific, and geopolitical factors that will impact the future as well as the gray area phenomena on the fringe that could present unexpected challenges or opportunities.

In addition to investing our own capital, we will be raising a small seed fund, allowing investors to capitalize on our diligence process and understanding of future market opportunities.

Bringing It All Together

If you’ve ever worked for me or follow me on social media, you know that I prioritize people over organizations and view the human element to be the most critical component of success.

To this end, I’ve partnered with Bob Gourley on the launch of OODA.  Bob has been a close friend and colleague since 1996 and we’ve worked together on dozens of projects in the U.S. government and commercial sectors.  His energy and enthusiasm for these issues mirrors my own. Together, we’ll build out a world-class team that I’m sure will include a lot of familiar faces over time.  

There is lots to do, so let’s get to it.  If we haven’t touched base recently, please get in touch and let’s figure out how we can collaborate in 2019. In the meantime, take a look at and let me know what you think.

Top 10 Security, Business, and Technology books of 2017

I've compiled my annual list of top books.  Not your typical top ten list.  Check it out at OODA Loop

Best Security, Business, and Technology Books of 2016

"Dozens of times per year, I get asked to recommend my favorite books so I couldn’t say no when the OODA Loop team asked me to build on Mark Mateski’s popular Red Teaming book list by providing my top 10 books for 2016. I have very eclectic interests, so I’ve focused my list on the top security, business, and technology books of 2016. Given that I’ve always drawn on fiction for both inspiration and insight, the list also includes three very compelling works of fiction that should be of interest to those in the security and technology fields. Please feel free to share your thoughts and recommendations with me via twitter @MattDevost. Happy reading!"

Source: OODA Loop - Best Security, Business, and Technology Books of 2016