Present State of Security
World-renowned IT security expert Bruce Schneier gave a talk on the future of the industry, which remains quite new.
By Brian Power
October 23, 2009
As well as being Chief Security Technology Officer at BT, Bruce Schneier is also the author of several books on the topics of security and cryptography with a particular, if not exclusive, focus on the IT industry, which has led The Economist to describe him as a "security guru". And when discussing security he is refreshingly candid and forthright, not dissimilar in tone to Freakonomics author Steven Levitt, while sharing with Levitt the ability to view his chosen field from an angle less ordinary.
"Security is hard to sell for two reasons, economic and psychological," he says. The industry is not necessarily logical: it is by nature complex, and as a consequence easy to get wrong. The average buyer doesn’t necessarily understand the products on offer, while the industry player often cannot explain them adequately, meaning that "new companies with good ideas often end up floundering because they cannot communicate those ideas." Psychologically, security is also complicated: Schneier points out the difference between "greed sales" and "fear sales", where the former is a simple question of wanting something, while the latter is being afraid of the consequences of not having that thing.
He highlights the concepts of loss aversion and prospect theory and applies them to security, whereby people are much more amenable to avoiding losses than acquiring gains, and are risk-averse for gains, but risk-seeking for losses. As an example, when asked if they would prefer a guaranteed gain of 500 euros or to toss a coin for a gain of 1,000, the vast majority will choose the former. A similar choice, slightly adjusted, shows an interesting contrast regarding risk: faced with a straight loss of 500 euros or a coin toss for the loss of 1,000, people will nearly always choose the latter. This is where the problem for "selling" IT security lies. It is sold through fear of loss, and yet some companies attempt to turn it into a greed sale. As Schneier states, this is somewhat nonsensical: security keeps things as they are if it works properly. It brings no actual value in itself, and thus advertising campaigns portraying a return on investment by a security product are a complete fiction.
Schneier believes that "IT security takes advantage of a rare after-market for making things better." Usually, a consumer will buy a product because it is already "good", yet the IT industry seems fundamentally flawed in that the applications we buy are ostensibly not good. If they were, we wouldn’t need the additional security, it would be a standard feature like, as Schneier says "brakes or airbags on a car. You don’t buy a car without brakes and then get told you need to fit them afterwards." So why is security in IT like this, when it is not in other industries? Schneier does not blame the IT industry, stating that "this is an effect of how new the IT industry is: it has developed very quickly, and security was ignored in the beginning."
There are further problems with security from the users’ side, where they have become less technically sophisticated and more socially sophisticated. Here, Schneier brings up "cloud computing", a phrase which he does not care for, but which adequately describes how IT has evolved. "Effectively, cloud computing is not greatly different from the client server models from the 1960s," he says, "simply put, it is your data on someone else’s hard drive. What happens with that data is beyond your control." Large applications are run this way, such as Hotmail, Gmail and Facebook. "You collect the information and place it in these applications. Once that is done, however, someone else is running it," insists Schneier. The users of these applications are platform independent, which makes things a lot more convenient, but is not necessarily good for security. This is where users are less technically sophisticated, as they care less about the details. Most will place their information in these applications without a second thought, just as most will no longer consider technical aspects like CPU speed or hard disk capacity when they are getting a computer in the first place. Things have changed as the number of actual users has grown. As Schneier ponders, "does anyone know what operating system Facebook uses? Does anyone even care?" There are reasons for this. In a short space of time, IT is becoming a norm, a utility. Like many utilities, there is a certain element of taking things for granted on the part of the users. Furthermore, the applications used change along with the users, as Schneier demonstrates: "there is a pretty clear age line between those who can’t live without Twitter and those who think it’s ridiculous. I am in the latter category!" The example may be facetious, but the underlying meaning is not. While the sites mentioned have security features of their own, what is paramount is that the data is beyond the user’s control once it is shared.
"Computing is becoming infrastructure. It is something taken for granted in the work place, like a desk or electricity," says Schneier. So how can the problem of security sales be addressed? Schneier believes it should not be sold as a separate entity, but included in an overall computing package. He once again brings up the example of cars, which are sold with airbags and brakes included, or houses which are sold with lockable doors. These features are expected on those products, and it should be the same with IT products. Furthermore, it seems the IT industry as a whole is coming around to this way of thinking: "now we are seeing non-security companies buying or taking over security companies. These companies are recognising that security needs to be part of what they do. Users do not necessarily have to understand what the security features do, but at the same time they like to know they are there. Thus, security should become embedded into a greed sell."
He continues that IT is very much a reputation-based market, but those reputations matter more to the outsourcer, in this case the IT companies, than the user. Thus, because they are protecting something, the majority of security standards are beyond the requirements of the users. This is not to suggest the system is infallible. It clearly is not. For the future of the industry, Schneier states that "as long as there are threats, security will obviously be a requirement. The security industry certainly has a future but it will probably be different to how it is now. The industry is secure, but the pay-cheques will be written by someone else." This means that the users’ security may be placed in the hands of the providers of IT products as a whole, rather than kept as their own responsibility.
That said, Schneier believes this is a trend rather than a hard and fast rule, and it will not happen overnight. "We certainly have not reached a stage where users do not have to worry about security, and they should still take measures to protect themselves. And I do not believe we will reach that stage in our lifetime." However, security should play a concrete part in the IT policies of any given business, and it should be factored into the budget, with strategies and processes decided upon with full awareness of both risks and security issues. Programmes and applications are getting better, but the risks are also getting bigger. The security industry, and the major players in the IT industry, need to factor this in as we go forward. The signs are that it is being taken into account.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..