Bruce Schneier: It’s Time to Start Prioritizing IT Security

Cyberattacks are getting more frequent, sophisticated and successful. Can organizations adapt security choices to cope better?

Nobody would disagree that IT security is necessary.

At minimum, it's needed to satisfy relevant government and industry compliance regulations, along with your insurance company, investors, suppliers, customers and other business partners. At most, it also protects your data and systems from much-dreaded cyberattacks.

The hard part lies in the details.

'What type of security should we invest in?"

"How much will this cost?'

'Is there any ROI on security spending?'

To explore these issues, we sat down with security technologist Bruce Schneier, a security pro who wears several hats. In addition to being the Chief Technology Officer of Resilient Systems, Schneier is the author of a dozen books, along with hundreds of articles and essays, including his Crypto-Gram monthly newsletter and 'Schneier on Security' blog (@schneierblog), which are read by an estimated quarter-million people.

Needless to say, this guy knows the answers to your IT department's questions. That's why we spoke with him to discover what exactly today's companies should be prioritizing when it comes to IT. Is company spending on security increasing? How much more — or less — would be enough (or at least better)?

BRUCE SCHNEIER: Those are good questions to ask, but difficult ones to answer. The problem is that we really don't have good data on either security spending or security effectiveness. My guess is that we're spending about the right amount of money, but that we're spending it wrong. We overspend in some areas and underspend in others.

WI: How do top companies make the "where to spend?" decisions?

SCHNEIER: Companies spend money where regulation requires it, of course. And they spend money where auditors tell them to, because compliance is a big deal in business. Otherwise, they spend it based on anecdotal evidence: What they believe industry "best practices" are, what they think will help, and what they think they can get away with avoiding.

WI: So, why are we still underspending or misappropriating security dollars?

SCHNEIER: We simply don't know how to spend money effectively on security. There's also a psychological bias at work: we tend to grossly exaggerate and overspend on the uncommon and spectacular risks, while underspend and downplay the common risks. And this is not just IT… this type of mindgame affects everyone in all walks of life.

WI: IT security breaches have, of course, been headline news over the past few years, including the recent U.S. Office of Personnel Management (OPM) records breach, the Sony email, Target, etc. Is IT simply not paying enough attention to known vulnerabilities?

SCHNEIER: IT has long paid attention to known vulnerabilities. In a sense, that's that easiest part of security. We're still not good at it, of course, but the security path is pretty straightforward. I think we need to pay attention to the whole process.

Security is a mix of prevention, detection and response. Prevention is the easiest to focus on, and it's where we first saw mass-market security products and services. Detection came next. Now it's Response's turn. When you look at all of those breaches you mention, and many of the others in the news as well, the failures were more of detection and response than of prevention.

WI: One way of looking at security is that it enables companies to do things they otherwise couldn't. For example, securing BYOD use of public Wi-Fi, encrypting media before employees leave the premises, providing VPNs for safe(r) mobile access… is this IT argument gaining traction? Can security costs be spun as contributing to RCO, TCO etc.?

SCHNEIER: It's hard. Security is infrastructure, like power or your desk. And while infrastructure enables companies do to things they otherwise couldn't, it's difficult to claim that a desk contributes to RCO or TCO. Companies have tried over the decades, but it just doesn't make sense to potential customers or investors. Power and phone and IT security are considered to be costs; I think we just have to accept that.

WI: Where is IT succeeding in getting budget for security measures?

SCHNEIER: Compliance is probably the best tool we have to get IT security budget. It's kind of amazing. You'd think that trying to prevent a massive security breach would be incentive enough, but turns out that executives are willing to take the chance. Failing an audit, however, is a big deal.

WI: Is there any sense of whether (increased) security spending reduces breaches, and the cost of breaches?

SCHNEIER: On the one hand, of course spending more money on security reduces the opportunities for breaches. On the other hand, it's pretty easy to spend that extra money badly and have no increased security as a result. That's why this is all so difficult.

WI: What can companies do, in terms of increasing IT security, to reduce the risk and impact of breaches?

SCHNEIER: The answer involves hiring smart people and doing what they say. I'm big on incident response these days. Often the best value for incremental security spending is beefing up your incident response team.

Categories: Text, Written Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.