Shostack + Friends Blog Archive


5 Years of New School

Five years ago Friday was the official publication date of The New School of Information Security. I want to take this opportunity to look back a little and look forward to the next few years.

Five years ago, fear of a breach and its consequences was nearly universal, and few people thought anything but pain would come of talking about our problems. Many people found it shocking when we challenged best practices, or asked if there was evidence for the ways we invested in security. I’d like to think we played some small role in how the culture of information security has changed. I’m hopeful that culture will continue to evolve in ways that focus on outcomes and data about those outcomes. At the same time, as I reflect, I go back to what Andrew and I wrote.

We wrote that the New School of Information Security is:

  • Learning from other professions, such as economics and psychology; to unlock the problems that stymie the security field. The way forward cannot be found solely in mathematics or technology.
  • Sharing objective data and analysis widely. A fetish for secrecy has held us back.
  • The embrace of the scientific method for solving important security problems. Analyzing real-world outcomes is the best way for information security to become a mature discipline.

We’ve seen tremendous movement in the sharing of objective data. From the DBIR to Mandiant’s report to revelations from Google, RSA, Bit9 and many others, we see people willing to talk about what went wrong. Sure, they sometimes add some spin, but that’s human nature. We’re seeing data being shared, or as I now like to say, published. We can’t take credit for that. Lots of people did a lot of hard work to convince their organizations to publish that data, and we’re learning from it and collections like the Open Security Foundation’s dataset.

We’ve also heard from countless folks about how much they liked the book, how it’s influenced their thinking and their actions, and that’s been a wonderful return on our work.

What we haven’t seen as much of is learning from other professions, such as economics and psychology. It’s still to common to complain that people will click on anything, we still argue with a paucity of data about if training people makes any sense. (Although if you have any data, I’d love to get it some attention at BlackHat.)

We also haven’t yet seen a lot of published data on the effectiveness of various security investments. As far as I know, no compliance regime yet requires breached entities to report back to those who create the standard about what went wrong, perpetuating the wicked environment in which we work, and wasting the time and money of those who need to comply.

Sadly, the pervious two paragraphs relate to what we wrote in chapters 5 and 6. For those of you who enjoyed the book, let me ask you to re-read them. For those of you who haven’t yet read it, now’s a great time. [Update: Even better, Addison Wesley is offering 40% off with code NEWSCHOOL40 to help us celebrate! Apply the code after proceeding to checkout.]

Andrew and I remain optimistic that our world can get better, and we’re proud to have helped illuminate a path forward.