Non-Fiction Review: The New School of Information Security

I made quick work this week of The New School of Information Security by Adam Shostack and Andrew Stewart. This seminal work brings together all the bits and pieces that have been rolling around in my head for nigh on 10 years now. They've defined the "new school" in a manner that many of us have been talking about for ages. It's a break from the operations-driven, bottom-up, break-fix approach to something much more strategic and sensible.

That being said, I was a bit disappointed by the book, having heard all the hype. Really, I think the work is targeted more to people outside the industry than it is to people in the industry. Freshly minted CISSPs would benefit greatly from reading this book, as would those who think that infosec belongs in ill-conceived silos. Technology is not infosec, and infosec is not technology. Neither is compliance, for that matter. The sooner the world comes to understand and accept this, the sooner we'll be able to truly revolutionize this industry.

Conclusion: Buy and read this book. If you've been in the industry for a while and "get it" then this will seem like a good cursory summary. If you're new to infosec, or if you're living in a deluded world of silos, then read it and take it to heart. No bad will come from learning and accepting the lessons offered.

About this Entry

This page contains a single entry by Ben Tomhave published on June 20, 2009 3:41 PM.

Fiction Review: Tetraktys by Ari Juels was the previous entry in this blog.

Fun Reading: Hikaru no Go, Nightwing is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7