The New School of Information Security

I just finished reading “The New School of Information Security” which is written by Adam Shostack and Andrew Stewart. Reader of this blog thanasisk and I disagree on the value of the book. He considers it as overrated while I say that it is simply different.

I read this book in the bus (while going to work and returning from it). First of all, it is not a book. I would call it a long paper (160 pages long). Second, every two or three pages the message of the book repeats itself: We need objective data. If one wants to summarize “The New School” in two bullets, these would be:

  • We need objective data, so let’s start sharing data and not wait for others to share first.
  • Amateurs study Cryptography; Professionals study Economics.

Actually the second bullet is the title of chapter 6. People forget that cryptographers study cryptography. We apply it!

So does this book bring any new knowledge on the table? It depends on who you are. For me, who has passed from a variety of information security outposts (from security oriented system administration, to running an emergency response team and passing the CISA exam among others) the book does not offer any new knowledge. It clearly points out the “generalist versus specialist” debate (if you read sage-members sometimes such threads occur) and pushes the reader to think outside of his domain of expertise.

Information Security is always a lot more than what you deal with. So what did I get by reading the book?

So is this book overrated? Well if you have the experience that thanasisk carries you can live without reading it. Is it different? Since it is a 160 pages long paper (manifest if you like) of course. Is it readable? Yes! Should you read it? If you are an eager mind dealing with system administration or information security (at any level; from junior to senior) definately yes! It will always remind you that Information Security is a whole lot more than what you think it is, dealing or interested with. For it certainly is not only writing policies, running a vulnerablity scanner or finding that next buffer overflow that will give you root access.

For me the most powerful statement of the book remains the title of chapter 6:

Amateurs study Cryptography; Professionals study Economics.

PS: Adam Shostack blogs interesting stuff over at Emergent Chaos.


3 thoughts on “The New School of Information Security

  1. Hi!

    First things first:
    “Well if you have the experience that thanasisk carries you can live without reading it.”. This line of praise really really makes me blush :-)

    When I started reading this book, I was amazed. In the first few pages, Shostack and Co do a helluva job de-constructing what is wrong with the security industry. However, after a while the book really loses steam and I do not agree with the solutions that Shostack suggests, specifically with the economics bit. “Geekonomics” does a much better job describing the economic aspect of (in)security. For the rave reviews this book was getting, I was expecting more bang for my buck.

    So, all in all, yes it is a good book and I as well had the same sensation that “look, these guys call BS when they see it” BUT given all the rave reviews, it is a GOOD book, but not a must-have one.

    I will write a review during xmas as well.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s