|
The New School of Information Security | 
 enlarge | Authors: Adam Shostack, Andrew Stewart
Publisher: Addison-Wesley Professional
Category: Book
List Price: $29.99
Buy New: $17.51
You Save: $12.48 (42%)
New (36) Used (9) from $14.00
Rating:  13 reviews
Sales Rank: 130423
Media: Hardcover
Edition: 1
Pages: 288
Number Of Items: 1
Shipping Weight (lbs): 1.3
Dimensions (in): 9 x 6.1 x 1.3
ISBN: 0321502787
Dewey Decimal Number: 658.478
EAN: 9780321502780
ASIN: 0321502787
Publication Date: April 5, 2008
Availability: Usually ships in 1-2 business days
Condition: All orders ship same business day via standard shipping (USPS Media Mail) if received by 1 PM CST.
| |
| Also Available In:
|
| Accessories:
|
| Similar Items:
|
| Editorial Reviews:
Product Description
<>“It is about time that a book like The New School came along. The age of security as pure technology is long past, and modern practitioners need to understand the social and cognitive aspects of security if they are to be successful. Shostack and Stewart teach readers exactly what they need to know--I just wish I could have had it when I first started out.” --David Mortman, CSO-in-Residence Echelon One, former CSO Siebel Systems Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises. -
Better evidence for better decision-making
Why the security data you have doesn’t support effective decision-making--and what to do about it -
Beyond security “silos”: getting the job done together
Why it’s so hard to improve security in isolation--and how the entire industry can make it happen and evolve -
Amateurs study cryptography; professionals study economics
What IT security leaders can and must learn from other scientific fields -
A bigger bang for every buck
How to re-allocate your scarce resources where they’ll do the most good
|
| Customer Reviews: Read 8 more reviews...
 Get to the point already October 29, 2008
Stephen Northcutt (Kauai, HI USA)
6 out of 44 found this review helpful
A wise man once said to give a great presentation, start with a great opening that catches the audience attention, close with a reminder of the useful tips you have shared and keep the opening and closing as close to one another as possible.
I think that is what the authors need to work on. I carried this book with me on multiple plane flights and read it and read it again and again and to be honest, I can't follow it. I agree that Security Professionals need to change the way they think about security, I really do. But this just goes on and on and on and never seems to get to the point.
So, three times I opened this book, three times I failed, I confess I may never understand what the New School of Information Security is.
I do have a bit of advice for anyone considering buying this book, go to a bookstore and open it up and read for a bit. I am told the mojo is in chapter 4, but decide for yourself, pick a chapter read it, if you get a take away you can use, buy the book.
 Highly Recommended for All August 22, 2008
Alexander Hutton (Columbus, Ohio USA)
5 out of 6 found this review helpful
I really enjoyed this book. Should you buy it and read it? Yes. I think there's no better evidence for your purchase than the fact that many smart people have already provided you with a quality review in which they've nitpicked various pieces and parts while still rating the book a 4 or 5. To me that shows not just enthusiasm for the content, but some level of "ownership" of the information on the part of the reviewers. A desire to take this work and build on it, have some intellectual ownership over it, if you will. That, if you ask me, should be a compelling reason to give this book a read.
It's also worth noting that much of the previous criticisms reflect the desire of the reviewer to have complete information around the subject of information security, information that *nobody* has yet. It's faulting the authors for not writing a book that reveals all of life's great mysteries. For me, it's enough for the authors to point us in a general direction while admitting that there are no easy answers.
 Should read if ... August 13, 2008
Jos Pols
3 out of 4 found this review helpful
Nutshell review - This book should be read if you are in any kind of management position related to information security. It presents some thought provoking ideas to help you think about information security in a different way from the norm. Does it have all the answers? No. Will it help you think about answers? Yes, I think so.
Not much "new school" in The New School of Information Security August 2, 2008
R. Lewis (Ottawa Canada)
3 out of 6 found this review helpful
The previous reviews have adequately discussed the contents of The New School of Information Security (The New School). This is a short review within a discussion of what a "new school" of information security should do.
The New School eloquently outlines the evolution of information security from its roots, to a big picture snap of where it is at today, warts and all. It is economic of words, but not of concepts. The New School is a field summation accessible to non-technical readers, while at the same time attempting to act as a kind of a clarion call for security professionals. The authors do a pretty good job of this balancing act; they have created a map that tells the security industry, "You are here" in narrative terms. The problem with this map is that it has gaps in it and its information is sketchy in parts. The authors tell us in The New School why this map lacks clarity and then suggest ways to improve it.
While I was thinking about " The New School", Richard Bejtlich submitted a review where he says the authors "? don't do much to provide actionable next steps." I agree that there is not much "new school" in The New School. Personally I was hoping that the words "new school" in the title meant that it described a path to innovation or new ways to achieve information security. While there are a few mentions of being open to new perspectives, The New School mostly recommends improved empirical methodologies to make status quo technologies and models work better.
I also smiled at the irony of Mr. Bejtlich's review where he says: " Maybe [information security] dysfunction should be empirically demonstrated before foundations for a "New School" are deployed?" One of Richard's so-called Three Wise Men of Security is Marcus Ranum, who has probably written more about the dysfunctional side of information security, and monies wasted, than anyone else. (More later)
Even the term "information security" is a bit cloudy. The majority of persons equate the term with network security, which is information security only in the broadest sense. Although there is a growing consensus in the industry that it must refocus on information-centric security, there is no real discussion of this necessary change in direction in The New School.
Why do security pundits often say and write that information security has hit a wall, and that we no longer see innovation in information security? Guy Kawasaki wrote in his "Art of Innovation" spiel, "Those on the first curve are unable to comprehend, let alone embrace, the second curve." If this is really the case, which persons on the "first" curve will ever be in a position to come up with, or recognize new innovations?
When one tries to solve a problem, one intuitively starts with what one already knows, based on related experiences. From a philosophical point of view then, one might have to unlearn, or be able to put down, what one already knows, to be able to think out-of-the-box.
Unfortunately, The New School makes a case for Kawasaki's assertion by demonstrating that its authors, like most others in the information security field, are planted squarely on the first curve. Why does this matter? In the same article, Kawasaki also writes that whose on the first curve are aiming for improvements of 10-15% in status quo technologies (usually to gain market advantage), while true innovators strive for 10-15 TIMES improvements in end performance. That seems to imply a lot of empirical measurement and metric development ahead of us for an optimistic 15% increase in performance!
The authors allude to the fact that many security products address symptoms of the problem, instead of the problem itself. Shouldn't a genuine "new school" address the historic omission of security from information systems design that gives rise to the information systems security problems we are experiencing in today's networked world. How can an industry that has a dysfunctional premise (an inherent design flaw) as its foundation, not be dysfunctional? Are we attempting to build skyscrapers on a foundation of sand? Read Marcus Ranum for enjoyable rants on the futility of this.
This is the quandary for information security. Why should ANY resources be devoted to improving flawed technology models? Yet, it may be beyond the realm of possibilities for anyone fully entrenched on their current path, to change course to a path of innovation?
Perhaps a more accurate title for the book might have been "Reforming the Old School." In saying this I do not intend to be mean spirited, for I think the authors have done a service for the industry by challenging concepts such as "best practices", and The New School is worthy of a read. The real goal of a "new school" should be real innovation. Innovation must address the real problem so that we may jump to the next curve and obtain leaps in protection of data, rather than setting for marginal gains by inching further along the first curve.
Without such consideration, The New School is not strong enough to be a turning point for the industry, as some people might think, but it is good enough to act as a catalyst for better use of the status quo. Besides improved empirical methodologies though, we also need some real out-of-the-box thinkers and innovators. They are the ones that will be able to write the curriculum for a future "new school" of information security.
A wake-up call for some, but not many answers July 27, 2008
Richard Bejtlich (Washington, DC)
4 out of 10 found this review helpful
If you don't "get" Allan Schiffman's 2004 phrase "amateurs study cryptography; professionals study economics," if you don't know who Prof. Ross Anderson is, and if you think anti-virus and a firewall are required simply because they are "best practices," you need to read The New School of Information Security (TNSOIS). If you already recognize why I highlight these issues, you will not find much beyond an explanation of these central tenets in TNSOIS.
Authors Adam Shostack and Andrew Stewart do a good job summarizing the problems with the worldview held by many in the digital security industry. While they fairly effectively demolish current mindsets, they don't do much to provide actionable next steps. For example, the book jacket teases us with statements like "Why the security data you have doesn't support effective decision-making -- and what to do about it" and "How to re-allocate your scare resources where they'll do the most good." I read that most of what the industry does is broken, but not much beyond general ideas like these from the end of Ch 6: "When considering spending on a security product, a useful first question to ask is whether the core capabilities that the product would provide are already available within the organization's IT structure... Another framing question to consider is whether the security functionality you want will be delivered at some point in the future within the infrastructure that the organization already owns or expects to own" (pp 126-7). This isn't very "new school" to me, i.e., don't buy what you already have or expect to have soon.
Similarly, the "Call to Action" in Ch 8 boils down to "Gather Good Data," "Analyze Good Data," and "Seek New Perspectives," but aside from breach data, we aren't given much else to follow. Sections like this make me think TNSOIS could have been more of a pamphlet than a book, but I shouldn't take for granted that many people don't think like the authors.
I thought it ironic that a book praising the importance of evidence would place all of the references as endnotes at the back of the book. I laughed when I read on p x "we don't include endnote numbers in the text. We find those numbers distracting, and we hope you won't need them." Accurate documentation is the heart of good research, so a second edition or future works should put proper footnotes on each page. Readers usually ignore endnotes because it's a hassle to flip back and forth. When is the reader to know an endnote even exists, if the text has been stripped of endnote numbers?
We do need more security books that teach "how to think," instead of "how to configure a firewall." I wonder if books like "Cyber Security: Economic Strategies and Public Policy Alternatives" by Gallaher, Link, and Rowe might provide a stronger empirical rationale for the ideas we read in TNSOIS. I'd like to leave the authors with one thought. The back jacket asks "Why is information security so disfunctional? Are you wasting the money you spend on security?" I don't see real data (of the kind I'd expect the authors would demand elsewhere) justifying the "disfunction" aspect, although my "gut" sympathizes with this assessment. That doesn't satisfy an evidence-based approach, however. Maybe disfunction should be empirically demonstrated before foundations for a "New School" are deployed?
|
|
|
SEO and Marketing TipsBETA RELEASE | |
