Guru, Not Rock Star

By Hugh Penri-Williams
Infosecurity
April 2009

I have a confession to make. Bruce is one of my heroes, so perhaps I shouldn't be writing this review. Now it's public knowledge -- I am openly biased. However, it is a double-edged sword. Whilst I am the first to refer in glowing terms to Bruce's writings on virtually every occasion that I've given my own presentations around the globe, I have to admit that hearing him in the flesh is just not the same experience.

I must hasten to note that this is an unfortunate phenomenon applicable to many in our select profession. Very few are able to hold an audience and simultaneously convey enough gravitas. Well, there goes any chance of Bruce ever talking to me again, let alone signing his book for my collection.

This latest opus, based on his Schneier on Security blog and newsletter, continues the thrust from his excellent Beyond Fear (a must-read for getting into the spirit of his approach before delving into his newsletter and blog) that primarily focused on security being a process, not a product, security trade-offs and the behavioural and psychological factors of security -- concepts recognised in some of Infosecurity's articles.

So, despite the introductory caveats, I hope my enthusiastic endorsement will, after all, still carry some weight with you, the reader, and even -- forgivingly -- with Bruce himself.

This collection of prodigious writings spans the post-9/11 world. Entries are very wide-ranging and annotated, where necessary, with relevant updates. Refreshingly, beyond the traditional galaxy of identity management, privacy, software quality (clearly an oxymoron), and PC security, they include surprising subjects like voting technology, the death of the ephemeral conversation and security at the Olympics. In total, the book covers over 120 topics in 12 chapters, supported by 50 pages of references and a 15-page index.

His introduction emphasizes four essential points: 1. Security is a trade-off. 2. You are a security consumer. 3. Security is a system. 4. Technology causes security imbalances.

It is correctly stressed that you can read the items in practically any sequence. Some are as relevant now as they were in their day -- topics that simply refuse to go away or rather will continue to haunt us for a long time to come.

What does it all boil down to? Schneier's greatest virtue, I believe, is to make you think profoundly about the true value -- or not -- of the majority of security measures by laying bare their inconsistencies, impracticalities, wastefulness and sheer futility. Only then can you get to grips with the reality needed to combat this -- often literally -- life and death issue. Many of our (re)actions are precisely what terrorists want us to do: behave in a terrorized instead of rational fashion.

His portrait on the book's flysheet -- a steely blue, piercing stare against a faint backdrop of a horde of PC satchel toting commuters, marching in the opposite direction -- is (unintentionally?) perfectly indicative of his individual wit, insight and anti-herd instinctive approach.

It also carries some rousing epithets. "The closest the security industry has to a rock star" from The Register, is laying it on a bit thick I feel, especially with respect to my earlier remarks about his on-stage 'presence.' I do however definitely concur with The Economist labelling him a "Security guru."

We could very well do with more Bruce Schneiers to advance the passionate cause for rational thinking aimed at truly coping in an effective manner with security issues instead of the all too prevalent 'security theatre' so much and so often rightly maligned by him.

up to Schneier on Security

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..