Review of Beyond Fear
Bruce Schneier is perhaps the best example of why IT security professionals are "eating the lunch" of physical security managers in some corporations. He thinks creatively, he expresses himself logically, and he has cultivated the ear of people high on the corporate food chain. His latest book will be food for thought for security professionals.
Beyond Fear is organized into three sections: "Sensible Security," "How Security Works," and "The Game of Security." The first section introduces three of Schneier's core concepts: that all security involves trade-offs, that trade-offs are subjective, and that they depend on power and agenda.
The longest of the three sections, "How Security Works," covers well-known principles such as detection and response—the chapter on identification, authentication, and authorization alone is worth the price of the book—but it also introduces several thought-provoking concepts. These include "rarity-based failure" (when an event is so uncommon that when it happens people don't believe it's a security incident, assume it's a malfunction, or have never practiced responding to it) and "class breaks" (when attackers can exploit one newly discovered vulnerability to attack all systems of the same class).
Some security managers will chafe at "The Game of Security," in which Schneier makes bold pronouncements such as "Bad security is worse than no security." Physical security managers may also bristle at being told how to improve their physical security by Schneier, an IT security expert. But readers should stick with the section to the end. Even if they don't agree with Schneier, security managers will discover a bracing new way of looking at their field.
Although it has many of the components of a great book, readers will differ over whether it reaches that lofty level. Some of the examples Schneier uses seem to be mere anecdotes; it's impossible to tell because there are no footnotes. Also, while it is clear that Schneier knows the difference between safety and security, several examples he gives of system failure involve safety, not security issues.
In another case, Schneier discusses "security theater"—highly visible but hollow security efforts designed to mollify the average worker or citizen. While Schneier is understandably cynical in his view that security is often used as a smokescreen, what is missing from an otherwise excellent discussion is appropriate attention to the role played by the risk management and legal departments in contributing to security decisions. Less-than-ideal security decisions are made every day not for appearance's sake but to meet a threshold legal standard.
Whether the reader agrees with him or not, Schneier is always challenging and compelling. Many audiences would benefit from this book. Homeland security officials could stand to absorb Schneier's dictum that "Bad security is worse than no security." By understanding and puncturing the security mystique, clients who contract for security services could keep their providers honest. Nonsecurity executives would learn how difficult it is to provide good security. Finally, after reading this book, physical security professionals should stand a fighting chance of wrestling their lunch back from IT.