John Wiley & Sons
15th Anniversary Hardcover
A Personal Message from the Author
I've written a new book.
I started writing this book in 1997; it was originally due to the publisher by April 1998. I eventually delivered it in April 2000, two years late. I have never before missed a publication deadline: books, articles, or essays. I pride myself on timeliness: A piece of writing is finished when it's due, not when it's done.
This book was different. I got two-thirds of the way through the book without giving the reader any hope at all. And it was about then I realized that I didn't have the hope to give. I had reached the limitations of what I thought security technology could do. I had to hide the manuscript away for over a year; it was too depressing to work on.
I came to security from cryptography, and framed the problem with classical cryptography thinking. Most writings about security come from this perspective, and it can be summed up pretty easily: Security threats are to be avoided using preventive countermeasures.
For decades we have used this approach to computer security. We draw boxes around the different players and lines between them. We define different attackers—eavesdroppers, impersonators, thieves—and their capabilities. We use preventive countermeasures like encryption and access control to avoid different threats. If we can avoid the threats, we've won. If we can't, we've lost.
Imagine my surprise when I learned that the world doesn't work this way.
I had my epiphany in April 1999: that security was about risk management, that detection and response were just as important as prevention, and that reducing the "window of exposure" for an enterprise is security's real purpose. I was finally able to finish the book: offer solutions to the problems I posed, a way out of the darkness, hope for the future of computer security.
Secrets and Lies discusses computer security in this context, in words that a business audience will understand. It explains how different security technologies work and how they fail. It discusses the process of security: what the threats are, who the attackers are, and how to live in their world.
It'll change the way you think about computer security. I'm very proud of it.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.