Quick Book Notes: The New School of Information Security by Shostack and Stewart

The authors state that the practice of Information Security is flawed in many ways (something I don’t disagree with in many ways).

This is not a book about information security, but a call for the practice of it to change…to grow up so to speak.

The authors want the practice of InfoSec to be based on hard data and suggest that many approaches just don’t do very much, or are not worth the cost.

With shout-outs to the OODA, Moneyball, security economics, and psychology, it is an interesting read.

For the last six months I have been doing network engineering (rather then information security engineering), so I have been looking at the practice of information security with an outsider’s PoV. While I still enjoy much of the tactical work of network security and other aspects of information security, at the strategic level, I question many of the ‘best practices”.  Too much is driven really by auditor’s canned interpretations of SOX requirements. Information Security program often just are checklist of controls mandated by auditor’s. Whether the control is useful or not or cost-effective is a secondary consideration.

 

Advertisements

3 Responses

  1. […] Cover: The New School of Information Security Bild von purpleslog Meine Notizen: purpleslog .wordpress.com/2008/09/24/quick-book-notes-the- … […]

  2. […] purpleslog.wordpress.com/2008/09/24/quick-book-notes-the-… […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: