Q&A: Cybersecurity Guru Bruce Schneier Joins a Startup
Cyptographer, essayist, book author, free thinker, privacy advocate and cybersecurity thought leader Bruce Schneier announced a few days ago that he's joining Co3 Systems as its new CTO. The Cambridge, Mass.-based start up helps companies comply deal with data privacy and data loss disclosure regulations. Schneier shared what's top of his mind with CyberTruth.
CT: You started in encryption, and had a great run as a globe trotting cybersecurity guru. What got you interested in doing hands-on vendor work again?
Schneier: Who says I can't do it all? After seven years at British Telcom, I was itching to join a start-up again. I have been involved with Co3 Systems for about a year, first as an informal advisor and then on their Technical Advisory Board. All of what I do and write about it predicated on real-world problems and solutions, and it will be good to get up close to actual corporate security customers again. But I have no plans on stopping any of my other writing or speaking projects.
CyberTruth video: How Co3 Systems manages privacy, data loss regs
CT: Vendors bearing systems to detect, stop and investigate APTs are getting a ton of attention; Co3 Systems is coming at the problem from another angle. What piqued your curiosity most about Co3's business model?
Schneier: For a couple of decades I've been talking about three parts to security: protection, detection, and response. Response is most neglected of the three, and that's where Co3 Systems sits. It's the only product that does incident-responses coordination, which is important right now for two reasons. One, attacks have gotten more sophisticated, which means response has to be similarly sophisticated. And two, the regulatory environment has gotten more complicated, which means response has to be more regimented and documented. One of the real problems with any emergency response system is that it is only used in an emergency, which means that it's real easy to get it wrong. Co3 Systems solves all of these problems.
CT: What cybersecurity issues will command the most attention in 2014?
Schneier: Nation-state surveillance, and whether we want an Internet where everyone can engage in ubiquitous surveillance, or an Internet where no one can. This is what the NSA debate is really about. It's not about whether the NSA should spy on the world or it shouldn't. Today's secret NSA programs are tomorrow's PhD theses and the next day's hacker tools. Either we want a secure Internet or we don't.
CT: Anything else?
Schneier: The security of embedded systems—routers, modems, and all the consumer devices being shown at CES this week—is going to be a huge issue in the coming years.