About this site

The New School of Information Security is a book by Adam Shostack and Andrew Stewart, published by Addison-Wesley Professional in 2008. (Amazon page, Addison Wesley page)

The blog is inspired by the book and the movement towards a New School. We have a page on the book itself, including reviews and some podcasts which Adam has done.  Writing for the New School blog is our roster of resident writers, as well as guest bloggers who appear from time to time (if you think you’re New School and would like to guest blog – please get in touch with us by emailing nssbloggers at Google’s mail service.)

Resident & Guest Bloggers on NewSchoolSecurity.com are speaking only for themselves, not their employers, the other bloggers, Addison-Wesley, or for Adam Shostack or Andrew Stewart or their employers.

Additionally, this site is insecure, and is probably hosting the 0day of the week, to pwn you. We recommend not trusting it or putting it into your whitelist.

Lastly, the bloggers here collectively have decades of experience and spend a great deal of time deeply understanding problems which are presented to them in their professional capacities. What they write here is generalized perspective, and you would be foolish to believe that it is customized for your situation.

We agree with resident blogger Chandler Howell when he says, “biographies are hard…how to self-promote enough that I sound like I’m worth reading, yet not so much that it sounds like BS or something the marketing folks would write…”

So with that in mind, here’s a bit about who we are:

Adam Shostack is co-author of the New School of Information Security (the book).  He helped found the CVE, the International Financial Cryptography Association, and the Privacy Enhancing Technologies Symposium.  He has been a leader at several successful startups including Netect, Zero-Knowledge Systems and Reflective.  He currently works for a software company in the pacific northwest. His personal site is Adam Shostack’s home page.

Chandler Howell was one of the first bloggers to focus on Information Risk rather than IT Security.  Prior to moving into Information Protection, he spent time as a *NIX Admin and coded risk management models for a global investment bank.  He has formed and led the Information and IT Security functions at both start-ups and Fortune 500 companies.

Currently, he lives in Chicago where he leads the Information & IT Security functions for a mid-size gaming machine manufacturer.

Alex Hutton has been involved in InfoSec in some capacity since 1994 when he was asked to educate customers as to why they needed these expensive “firewall things”.  Sometimes his role has been marketing, sometimes management, sometimes consultant, sometimes analyst.  Alex likes blogging about risk and security management (both in their more traditional, non-industry connotations).  He works in Risk Intelligence for a Fortune-something company.

David Mortman is the CSO-in-Residence for Echelon One, where he is responsible for their Research and Analysis program and also writes regularly for SearchSecurity.com. Formerly, the CISO for Siebel Systems, David and his team were responsible for both IT and Product Security as well as Siebel’s Privacy program. He was also heavily involved in Siebel’s compliance efforts. David sits on several advisory boards and is a well known speaker with regular appearances at RSA, Blackhat and Defcon to name a few conferences. Currently residing in Columbus, OH, David is an alumnus of the University of Chicago.

Brooke Paul is the former Senior Vice President and Chief Information Security Officer of American Financial Group (AFG), a Fortune 500 insurance company.  He has also been CEO & President of Neohapsis, one of the premier information security and IT risk management service organizations in the world.