CSO Compass Award: Bruce Schneier
Chief Security Technology Officer, BT
By Bill Brandel
May 11, 2010 — CSO — As an author of books on security, the influential Crypto-Gram newsletter and the blog Schneier on Security (www.schneier.com), as well as a frequent guest on TV and radio, Bruce Schneier has become something of a celebrity in the world of security: He may be the only CSO whose likeness is used to sell T-shirts. Still, the most rewarding aspect of his career, as he conveyed in this interview conducted by e-mail, is that he believes he is having an impact on people's thinking about security.
CSO: What are three fail-proof principles of security leadership?
Bruce Schneier:One, tell the truth as you see it. Two, don't be afraid to change your mind. Three, be public when you've made a mistake or changed your mind. Note: These principles might not work in a traditional corporate setting.
What are two things about security leadership you wish you'd known 10 years ago?
One, economics matters a lot. Two, psychology matters even more.
What does psychology have to do with security?
Security is fundamentally about people—people as attackers as well as defenders—and if you don't understand the people you'll never understand security. It affects everything. Take an obvious example: terrorism. Terrorism kills approximately no one in the United States every year, and automobiles kill 40,000 Americans every year. That's more than a 9/11's worth of deaths each and every month. Yet where do we spend our money? It's the same everywhere: trying to enhance our feeling of security, sometimes by enhancing the reality of security and sometimes by implementing security theater.
Editor's note: read more of Schneier's thoughts about psychology in The endless broadening of security.
What this means is, when you think about a security system—as a developer, as a buyer, as an implementer or as an attacker—you need to understand the psychological motivations of those involved with the system. If you don't, you're going to get it wrong.
What will be the next big topic in the security field?
Transparency. Transparency of everything, because that's how you know what's actually going on. So much of security is sold and implemented on the "trust me" paradigm. Unfortunately, that results in a whole lot of bad security. So it will be transparency about threats, about attacks, about losses, about product capabilities.
What is the most over-hyped topic in the security field?
It's a serious problem with our industry. Companies emerge selling one thing: firewalls, public key infrastructure, biometric login, or whatever. In order for them to convince customers, as many as possible, to buy their stuff, they have to over-hype it. They have to claim that their solution is the one solution everyone needs.