Talking with security expert Bruce Schneier does not always leave a person feeling more secure. That's because Schneier doesn't sell easy solutions. Instead, he challenges businesses, governments and individuals to examine their assumptions about risk, to eschew simplistic answers and to accept the fact that no system is--or can be--perfectly secure.
Now the chief security technology officer of BT, Schneier worked at the Department of Defense and Bell Labs before founding Counterpane Internet Security, which was acquired by BT. He has a master's degree in computer science and a B. A. in physics.
Books by Schneier include Applied Cryptography, an explanation of codes and code-breaking that Wired magazine called "the book the National Security Agency wanted never to be published"; Secrets and Lies, about computer and network security; Beyond Fear, a look at issues facing individuals and organizations; and his latest, Schneier on Security, a collection of his articles and essays. Schneier discussed these issues CIO Insight Senior Writer Edward Cone. This is an edited version of their conversation.
CIO Insight: What will a CIO take away from this conversation on security?
Bruce Schneier: If you don't get the economics right, no security will work. A lot of failures aren't technical failures--they're motivational failures or tradeoff failures. Security is hard: It's not simply a matter of tossing a piece of technology at a problem. The devil is in the details, and the details are complicated.
One of the more compelling security stories I worked on involved a casino that had a real culture of security. It had lots of technology, and everyone expected to be watched. The CIO has no problem checking his laptop in and out every day, and dealers yell out every time they break a $20 bill. It reminds me of the example you've used of the bell on cash registers being there to alert the store owner that the clerk is handling money.
Schneier: It's an old culture--a culture that's used to dealing with cash and that isn't forgiving of security breaches. For decades, they've had a culture of people watching people watching people: Dealers watch customers, pit bosses watch dealers, floor managers watch pit bosses and the cameras watch everybody.
There are audits and controls every which way, because they're dealing in a high-volume cash business. However, they needed to build a system of checks and balances. They couldn't just have everything be on credit cards and check it at the end of the month.
How do you inculcate that kind of culture in your people if you're in another industry?
Schneier: You probably can't do it, and it's probably wrong to try. People are inherently nice--and social. The reason social engineering works is because people are polite and helpful and friendly. You could inculcate them to be mean, surly, suspicious and nasty, but you'd probably go out of business.
Imagine setting up a bank where everyone is strip-searched when they go into the building. It would be more secure, but it wouldn't be a very profitable bank. And imagine a department store where everybody is watching everything, and everybody is suspicious. Nobody is going to shop there.
Security is a tradeoff. These types of human security issues, human attacks, social engineering, all prey on the inherent qualities that you want in your employees. You want them to be friendly and helpful. You want them to be team players. You can turn them into something else, but your company is going to suffer.
We're probably going to have to accept a certain amount of social engineering as the price of being in business. So now the question is, What sort of controls can I put in place--whether preventive or auditing--to limit the amount of damage that is inevitable, because I'm hiring pleasant people as employees?