The New School of Information Security

***** The New School of Information Security. By Adam Shostack and Andrew Stewart; published by Addison-Wesley Professional, www.informit.com (Web); 238 pages; $29.99.

Many of us in the security profession have attended seminars or read trade magazines on IT security. The lessons usually bear the same apocalyptic message about improving security reactively before all information is stolen and your company shuts down for good.

In this book, authors Adam Shostack and Andrew Stewart upend the traditional approach to IT security, which they argue is obsessed with budgets, best practices, and scare tactics. They ask something incomprehensible of many corporations: that they share threat and breach data. Without building a database of that type of information, the authors explain, there is no way to tell whether we are protecting against the right threat or whether our security measures are effective. The best findings result from the broadest possible base of solid evidence. They bolster their case for openness by noting that when companies admit to data breaches, they often avert scandal and recover quickly.

Shostak and Stewart also advocate strict policy and training directed toward risk. Those efforts should be focused on countering the normal tendencies to ignore rules that arise because there are generally more rewards for taking shortcuts to get the job done than for following pedantic policy.

Shostack is responsible for security design analysis techniques at Microsoft, while Stewart is a vice president at a U.S. investment bank with credentials in information security. They do an excellent job of questioning mainstream security methods and decision processes, and they make a solid argument for a new way of thinking about information security. The ideas are simple but rarely spoken; the reader is left with head-slapping thoughts of “Why didn’t I think of that?” or “I totally agree.”

The book is an easy read and is applicable to other areas. Practitioners of physical security or loss prevention, defense contractors, and many others in and out of the security profession can adapt the principles to their business unit. The book raises many relevant issues, but as the title suggests, it will require openness to new ways of thinking.

Reviewer: Jeffrey W. Bennett, ISP (Industrial Security Professional), is the author of ISP Certification: The Industrial Security Professional Exam Manual, published by Red Bike. He holds an M.B.A. and manages security, safety, and exports compliance for a Department of Defense contractor. He is a member of ASIS International.