Non-Fiction Review: The New School of Information Security

I made quick work this week of The New School of Information Security by Adam Shostack and Andrew Stewart. This seminal work brings together all the bits and pieces that have been rolling around in my head for nigh on 10 years now. They've defined the "new school" in a manner that many of us have been talking about for ages. It's a break from the operations-driven, bottom-up, break-fix approach to something much more strategic and sensible.

That being said, I was a bit disappointed by the book, having heard all the hype. Really, I think the work is targeted more to people outside the industry than it is to people in the industry. Freshly minted CISSPs would benefit greatly from reading this book, as would those who think that infosec belongs in ill-conceived silos. Technology is not infosec, and infosec is not technology. Neither is compliance, for that matter. The sooner the world comes to understand and accept this, the sooner we'll be able to truly revolutionize this industry.

Conclusion: Buy and read this book. If you've been in the industry for a while and "get it" then this will seem like a good cursory summary. If you're new to infosec, or if you're living in a deluded world of silos, then read it and take it to heart. No bad will come from learning and accepting the lessons offered.

My Other Pages

Support Me

Support EFF

Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10