Is Security a Solvable Problem?
Or is security the computer equivalent of the War on Terror? Bruce Schneier gives us the story.
Bruce Schneier is as close as you can get to being a rock star in the security industry. A cryptographer, computer security specialist and bestselling author of numerous books, he’s written countless articles and columns on security issues. He blogs about them at "Schneier on Security" http://www.schneier.com/blog, and publishes the monthly Crypto-Gram Newsletter that has a global readership of around 130,000.
He also finds time to be active in the industry as chief technology officer of BT Counterpane, http://www.counterpane.com/ a managed security services and consulting company he started in 1999 – plus he's one of our Top 59 Influencers in IT Security . We caught up with him about the state of security today and whether security is a solvable problem – or just an endless arms race.
IT Security: Have you seen any major change in attitudes at companies/organizations about security in the past few years? Do people “get” the importance of security now? Is it a strategic business consideration, or is it still considered something separate?
There has been some change. You can see it in the rise of managed security services. These services generally focus on results instead of technology, and illustrate that organizations are starting to care less about the details of security technology. You can see it in the increase in security budgets, as organizations take their Sarbanes-Oxley audits seriously. You can question whether or not CXOs "get" the importance of security, or whether they're just doing what's expedient, but in the end the results are the same.
I think there's something deeply psychological about security, and it will always be viewed as a separate thing. The trick is moving beyond that. Banks have, because they've spent centuries dealing with security problems. Computers and networks are still new; it might take a generation before security becomes part of the core business decisions. But moving it outside the organization is a good step, because the experts are more likely to understand the trade-offs first.
IT Security: Is security still seen as something that technology alone can solve, along the lines of “just throw another firewall in there?" We’ve seen any number of long screeds in the past few years about how security is really a people issue, that’s it’s not something that technology alone can solve. Why isn’t that argument gaining more purchase?
Our society has a large fetish about technology: that it can solve our problems. In the world of computers, this is largely true. Wait a generation, and your word processing, graphics, networking or (other) problems become solvable. (But) security is fundamentally a people problem, so technology matters less.
In the end, though, this won't matter. As organizations continue to outsource their infrastructure, including security, they will have less input into how their security problems are solved. MSM providers know that security is a combination of people, process and technology, and that's what they're selling.
IT Security: Conceptually I think most people would agree security is an important element in today’s IT driven world, but its application is not consistent. What else is needed?
Security is 100% a matter of incentives. If the economic incentives aren't aligned properly, even the best security solutions won't be implemented. Align the economic incentives and security companies will fall over themselves trying to solve the security problem. In the computer world, I have long maintained that the correct incentives are liabilities. Software vendors need to be liable for insecure products. Organizations need to be liable if they expose our personal information. That's the kind of economic incentive that will result in more security.
IT Security: Will it have to become an embedded function of service delivery before it can be handled at a high level?
Security is most definitely better handled by the service provider. My company provides anti-spam, anti-malware, anti-phishing and anti-a-whole-lot-of-other-things automatically in my network connection. It is a crime that home users don't get the same level of service from their ISPs. Of course, the problem is once again incentives. ISPs don't have an incentive to provide those services. Liabilities will change that.
IT Security: In the end, is security a “solvable” problem, at least as far as users are concerned? Or is this the IT version of the War on Terror?
Has there ever been a security problem that has been solved? Murder, burglary: those problems have been around for thousands of years. The fact that someone could even ask if computer security is a solvable problem demonstrates our fetish with technology.
Of course computer security is not a solvable problem. It's a people problem; people problems have been around since people evolved from lower primates, and they'll be around until we evolve into some other life form. Security has always been an arms race, and always will be. The "war on terror" nonsense will eventually fade and become an embarrassment of our history, but the back-and-forth between attacker and defender will remain.