I just finished reading “The New School of Information Security” which is written by Adam Shostack and Andrew Stewart. Reader of this blog thanasisk and I disagree on the value of the book. He considers it as overrated while I say that it is simply different.
I read this book in the bus (while going to work and returning from it). First of all, it is not a book. I would call it a long paper (160 pages long). Second, every two or three pages the message of the book repeats itself: We need objective data. If one wants to summarize “The New School” in two bullets, these would be:
- We need objective data, so let’s start sharing data and not wait for others to share first.
- Amateurs study Cryptography; Professionals study Economics.
Actually the second bullet is the title of chapter 6. People forget that cryptographers study cryptography. We apply it!
So does this book bring any new knowledge on the table? It depends on who you are. For me, who has passed from a variety of information security outposts (from security oriented system administration, to running an emergency response team and passing the CISA exam among others) the book does not offer any new knowledge. It clearly points out the “generalist versus specialist” debate (if you read sage-members sometimes such threads occur) and pushes the reader to think outside of his domain of expertise.
Information Security is always a lot more than what you deal with. So what did I get by reading the book?
- Although it discusses issues that “I know about” this is the first time that I see them written down, all of them and in a clear way. All the arguments that I previously needed in debates with non-security oriented people above me in the management scale are here. Now I have an arsenal of arguments that does not live in my brain.
- When you hear of “best practices” or “rules of thumb”, always ask for proof.
- It reminded me to try to avoid groupthink. Does one need a reminder for that? Well I think by the very definition of groupthink, yes.
- It exposed me to the principal-agent problem. It does explain a lot of the organizational behavior that I observe.
- It hints game-theoretic equlibria that explain the current no-win situation for everybody by the lack of objective data that will help us make any educated information security oriented decision.
- It provided pointers to four excellent papers:
So is this book overrated? Well if you have the experience that thanasisk carries you can live without reading it. Is it different? Since it is a 160 pages long paper (manifest if you like) of course. Is it readable? Yes! Should you read it? If you are an eager mind dealing with system administration or information security (at any level; from junior to senior) definately yes! It will always remind you that Information Security is a whole lot more than what you think it is, dealing or interested with. For it certainly is not only writing policies, running a vulnerablity scanner or finding that next buffer overflow that will give you root access.
For me the most powerful statement of the book remains the title of chapter 6:
Amateurs study Cryptography; Professionals study Economics.
PS: Adam Shostack blogs interesting stuff over at Emergent Chaos.