How Sarbanes-Oxley changed the information security profession


This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."

Download it now to read this article plus other related content.


8 More Security Stars

Paul Sarbanes and Michael Oxley may lead the way, but they're not alone. Here are eight more important figures from the past decade.

BRUCE SCHNEIER Bruce Schneier wants to change the way you think about security. During the past 10 years, he's explored every avenue of influence available to him--blogging, books, keynotes--to great degrees of success. Secrets and Lies: Digital Security in a Networked World, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, and Applied Cryptography are mainstays on the bookshelves of most security professionals, and the Cryptogram newsletter graces inboxes once a month, much to the glee of its thousands of readers. Schneier has his opinions, and for a decade he hasn't been shy about sharing them.

But he hasn't always been about overtly influencing thought. Schneier made his bones in cryptography, having written or co-written the Blowfish and Twofish algorithms, among many others, helping to make the practice mainstream after some shaky years battling the government over export controls.

"Electronic commerce was the killer app for cryptography, and that's what fo­rced it out of the shadows and into the mainstream," Schneier says. "But really, we won the crypto war because cryptography

    Requires Free Membership to View

doesn't matter nearly as much as we thought. Back in the mid-1990s, we thought cryptography would protect our data from outsiders. But the real problems are in computer and network security. It doesn't matter how good your encryption is if the bad guys installed a Trojan on your computer, or a keylogger. I think the FBI realized, a couple of years before we all did, that cryptography wasn't all that important."

What is important these days to Schneier? Well, besides blogging about airport security, terrorism and other trends beyond information security, Schneier is tackling the subject of psychology and security. He stresses that today's CISOs must get the psychology of security correct, else security systems will fail regardless of the strength of the technology.

"If there's one thing I've learned in all my research into human psychology and how we deal with security, risk, trade-offs, costs and decision making, it's that people are not rational," Schneier says. "People make decisions in completely irrational ways, breaking all sorts of rules of logic while doing so. Our brains are weirdly engineered, with overlapping systems, fail-safe overrides, memory glitches and systemic bugs. And while we are superbly engineered for the cognitive problems that arise while living in small family groups in the East African highlands in 100,000 BC, we're much less suited to 2007 New York."


Read the complete interview with Bruce Schneier at searchsecurity.com/10thanniversary.


This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: