As an author of books on security, the influential Crypto-Gram newsletter and the blog Schneier on Security (www.schneier.com), as well as a frequent guest on TV and radio, Bruce Schneier has become something of a celebrity in the world of security: He may be the only CSO whose likeness is used to sell T-shirts. Still, the most rewarding aspect of his career, as he conveyed in this interview conducted by e-mail, is that he believes he is having an impact on people's thinking about security.
CSO: What are three fail-proof principles of security leadership? Bruce Schneier:One, tell the truth as you see it. Two, don't be afraid to change your mind. Three, be public when you've made a mistake or changed your mind. Note: These principles might not work in a traditional corporate setting. What are two things about security leadership you wish you'd known 10 years ago?
One, economics matters a lot. Two, psychology matters even more.
What does psychology have to do with security?
Security is fundamentally about people—people as attackers as well as defenders—and if you don't understand the people you'll never understand security. It affects everything. Take an obvious example: terrorism. Terrorism kills approximately no one in the United States every year, and automobiles kill 40,000 Americans every year. That's more than a 9/11's worth of deaths each and every month. Yet where do we spend our money? It's the same everywhere: trying to enhance our feeling of security, sometimes by enhancing the reality of security and sometimes by implementing security theater.
Editor's note: read more of Schneier's thoughts about psychology in The endless broadening of security.
What this means is, when you think about a security system—as a developer, as a buyer, as an implementer or as an attacker—you need to understand the psychological motivations of those involved with the system. If you don't, you're going to get it wrong.
What will be the next big topic in the security field?
Transparency. Transparency of everything, because that's how you know what's actually going on. So much of security is sold and implemented on the "trust me" paradigm. Unfortunately, that results in a whole lot of bad security. So it will be transparency about threats, about attacks, about losses, about product capabilities.
What is the most over-hyped topic in the security field?
It's a serious problem with our industry. Companies emerge selling one thing: firewalls, public key infrastructure, biometric login, or whatever. In order for them to convince customers, as many as possible, to buy their stuff, they have to over-hype it. They have to claim that their solution is the one solution everyone needs.
Of course that's ridiculous—while most security technologies have some value, none are panaceas—but the companies can't help themselves. Of course, this leads to inevitable disillusionment of customers when their antivirus product or authentication service doesn't magically make them secure. And, sadly, we've created a customer base that's pretty skeptical of new security technologies or solutions.
If a CSO could get budget approval for one security investment, what should it be?
An analysis to determine whether his other security investments are worthwhile.
What is business stakeholders' most dangerous misunderstanding about security?
That security matters very much. Security is almost always a part of a larger decision, and it's rarely the primary driver of that decision. It's true for large decisions like invading Iraq, and it's true for small decisions like whether the CEO gets a BlackBerry or not. Knowing how much security actually matters—and it invariably matters less to non-security people—is vital to understanding and influencing these decisions.
There is much discussion that people who commit cyberfraud or cyberattacks are growing increasingly sophisticated, and that this practice has proliferated during the recession. Do you agree? Will this recession be remembered as a time when cybercrime evolved to the next level?
Cyberattacks have continually gotten more sophisticated over the past decade. I don't think the recession is causing any additional renaissance in sophistication. There's a lot more money in cybercrime, and it's gone both professional and international.
What do you see as the risk potential of social media for most organizations?
This is a complicated question, because every answer is correct. The risk of using social networking sites is that employees will post sensitive corporate information online. The risk of banning them is that employees will not come work for you, because you're a Neanderthal 20th century company. Social networking sites are how people socialize, and you can't fight the trend. What you can do is enforce corporate confidentially requirements across the board, regardless of medium.
Do you get any of the royalties on the sales of Bruce Schneier T-shirts?
Not a penny. If I weren't so entertained by the whole idea, I might be annoyed.