The year of the guru

Bruce Schneier When it comes to information security Bruce Schneier is perhaps one of the biggest names in the industry and has been referred to as a security guru. He spoke to Henry Tucker about security legislation, new threats and the latest IS concerns.

In terms of enterprise security, what would you say are the major concerns for 2008?

Crime. Crime has been the most serious threat for years now, and it continues to be so. That's a constant; what changes are the tactics and the mechanisms. I expect to see more Trojan-based identity theft as two-factor authentication becomes more common, and IP telephony-based attacks as that becomes more common.

Is there anything, perhaps in terms of new legislation, that governments should be doing to combat security risks?

I want two things out of government. I want them to enforce software liabilities, so the company in the best position to mitigate the risk is finally responsible for the risk. And I want them to use their buying power to influence product vendors to make their offerings more secure.

A lot has been made lately about companies being more at risk from their employees compromising their systems than from outside attacks, what are your thoughts on this?

All good crime involves insiders. They have better access to the systems, and more detailed knowledge of how they work and where the vulnerabilities are. And they're more trusted, because they're already on the inside. On the other hand, there are far more outsiders. In general, the low-level stuff is perpetrated by outsiders, but the concerted attacks often involve insiders.

As an industry, and also as individuals, is there one thing that we should be doing to improve security?

It's never one thing; it's always a lot of things. For most of us individually, the single most important thing we can do for our own security is to make regular backups. Added to this, as an industry, we need to get better about writing secure code.

Do you think that IT project managers take security techniques and costs fully into account when planning projects and are these managers savvy enough, security-wise, as they control so many IT projects?

Of course not. Life cycles costs in general are not fully taken into account in these instances. And it's not just a matter of not being savvy enough; it's actually hard.

BCS is pursuing professionalism in IT - what are your thoughts on this?

I believe that professionalism is admirable in all things.

What are your thoughts about the possible vulnerability of voice over IP now that it is being adopted by the business community?

Of course there are vulnerabilities in VoIP; there are vulnerabilities in every internet protocol. And we'll see more of those vulnerabilities being exploited as the protocol becomes more widely adopted.

Do you think that people's confidence with security, phishing scams and identity theft could cause, or is already causing, serious harm to online business?

It's something we have to watch. So far, there hasn't been enough internet-based crime to scare people away from it. But it could happen. There a tipping point; when enough people you know say things like 'I used to shop on the internet, but it's too dangerous.' Then everyone starts to think so. We're not near that tipping point yet, but if the criminal trends continue we could get there.

If there was one thing you could change with the way that the internet works or how people work, in terms of security, what would it be?

I would make the internet work around people, rather than forcing people to work around the internet. That conceptual shift would do an enormous amount to make security more realistic: both improving it where it should be improved, and aligning peoples' impressions of how secure parts of it really are.

Quick Questions

Mac or PC?

PC. Windows. Yeah, yeah. It's easier with my current IT support structure.

Are you a geek or a nerd?

Both. Neither. I don't know; I'm not very good with labels.

BlackBerry, PDA or iPhone?

Treo. I want to carry one thing, so I need a single device that does email, phone, and calendar. And I don't use Outlook, so I need something that syncs with a desktop calendar. For years that's been the Palm calendar, and I can't find anything else that suits.

How would you like to be remembered?

The highest praise that I receive is from people who say that my writing changed the way they think.

If you didn't work in IT, what would you be doing?

Probably math.

What would your one piece of careers advice be?

Never stop learning.

This article first appeared in the Spring 2008 issue of ISNOW.

May 2008