Book Review: The New School of Information Security

Book Review: The New School of Information Security
Book Review: The New School of Information Security

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

[ - WK] 

Author: Adam Shostack and Andrew Stewart
Pages: 288 
Publisher: Addison-Wesley
Rating: 9
Reviewer: Ben Rothke 
ISBN: 978-0321502780
Summary: Information security is highly broken; this book suggests a 
realistic fix.

Far too much of the security industry has its roots in FUD. Billions of 
dollars of information security products have been sold, and for what? 
The book asks why is information security so dysfunctional and why 
companies are often wasting so much money on security. So what is this 
thing called the new school? The authors define it as neither a service 
nor a product; rather it is a new approach that uses the scientific 
method and objective data. This in turn gives an entirely new 
perspective from diverse fields to make effective security decisions. 
The authors rightly believe that when objective data is used, it enables 
better decision-making.

The New School of Information Security is a ground-breaking text in that 
it attempts to remove the reader from the hype of information security, 
and enables the reader to focus on the realities of security. The fact 
that such a book needs to be written in 2008 shows the sorry state of 
information security.

The book starts out with observations of why there are so many failures 
within information security. Anyone with experience in security can 
easily relate to these issues. One recurring theme throughout the book 
is that poor data, be it research or advertising negatively effects the 
state of security. The authors astutely note that security advertising 
often does a disservice to the security field because it glosses over 
complex problems and presents the illusions of a reality in which a 
security panacea exists. It makes the buyer believe they can reach that 
panacea by using their service or purchasing their product.

In creating their new school, the authors have no qualms in attacking 
the dogma of the current state of information security. From Gartner to 
the Executive Alliance and more, the authors show that these groups and 
more often suffer from issues such as bias, lack of a scientific method 
and more. The book notes that the search for objective data on 
information security is at the heart of the philosophy of the new 
school. Since there is a drought of objective data today, the book asks 
how can we know that the conventional wisdom is the right thing to do? 
The observation is that the current state of affairs is unsustainable 
for the commercial security industry and for security practitioners.

The title of chapter 5 gives away the theme of the book =E2=80=94 Amateurs Study 
Cryptography =E2=80=94 Professionals Study Economics. The idea is that 
information security must do a better job of embracing such diverse 
fields as economics, psychology, sociology and more, to make effective 

In some ways, the authors are perhaps too aggressive in their desire for 
security statistics. One of the most scientific approaches to 
information security is from CERT ( Yet the authors are 
not satisfied with CERT's findings that the majority of incidents appear 
to be insider based. Given what data and statistics we have in 2008, the 
figures from CERT are certainly good enough. Yes, they could be better, 
and yes, breach data is not actuarial data, but given the data from 
CERT, combined with recent news and court cases (UBS, Soci=C3=A9t=C3=A9 
G=C3=A9n=C3=A9rale,etc.) clearly show that insiders are the most insidious threat.

Also, while the current state of information security is indeed less 
than perfect, the authors are a bit too condescending of areas where 
security is formalized (ISO 27001, etc.), yet not perfect.

After years of countless 1,000+ page massive security books, The New 
School of Information Security succinctly spreads its message in a brief 
160 pages. In those 160 pages, the author's detail at a high-level what 
needs to be done to create this new school. Therein lays the books only 
flaw, its brevity. The authors want to get the concept of the new school 
out there, but they do not detail enough of the necessary requirement to 
make it work. They show with clarity how things are broken, but don't do 
enough to show how to fix it. Let's hope the authors are at work on a 
follow-up writing those necessary additions.

Some Slashdot readers are likely to question how an author (Shostack) 
can write a book on security while being employed by Microsoft. Even 
with all its security issues, what many do not realize is that no 
software company has spent more on security in the past decade than 
Microsoft. Indeed they have a lot of catching up to do, but it is being 
done. Put another way, Microsoft has likely spent more on security than 
China has spent on democracy.

Too much of information security is clearly broke and The New School of 
Information Security is about fixing it. The author's pragmatic approach 
is a refreshing respite from years of security product based FUD and 
silver-bullet solutions. The approach of the new school is one that 
screams out to be put into place. It is the job of today's CISO's and 
CIO's to heed that call, take the initiative, and lead their 
organizations there. Either they graduate their staff from the new 
school, or we are faced with more decades of information security 

Let's hope The New School of Information Security is indeed a new start 
for information security. The book is practical and pragmatic, and one 
of the most important security books of the last few years. Those 
serious about information security should definitely read it, and 
encourage others to do the same.

Ben Rothke is a security consultant with BT and the author of Computer 
Security: 20 Things Every Employee Should Know.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to the InfoSec News RSS Feed 

Site design & layout copyright © 1986-2014 CodeGods