At Information Security Decisions 2009, Bruce Schneier and Marcus Ranum took to the stage to discuss some of the most contested issues in information security. This first segment covers the following topics:
- 0:10: The presentation begins with a question about what the security industry will look like in five years.
- 2:24: Ranum discusses what he thinks the infosec pro of the future will look like.
- 4:10: Are security professionals going to end up becoming compliance professionals?
- 5:32: Schneier explains his mixed views on compliance.
Check out other topics in this series:
- Part 2: Social networking
- Part 3: Compliance and security
- Part 4: Cybersecurity coordinator
- Part 5: Security metrics
- Part 6: Audience questions
Read the full transcript from this video below:
Schneier-Ranum face-off, part1: The future of information security
Marcus Ranum: First question, will there be a security industry in five years?
Bruce Schneier: Yes. There will be a security industry as long as the threat is there; as long as there are hackers, criminals, fraudsters. As long as there are computers full of insecurities, there will be a security industry. There's no doubt about that. I've been writing for a couple of years, and I think the industry will change. It will change drastically. It will look less like a consumer industry and more like an industry industry.
So, as we move more to services, things like email on Google or Facebook or Google Docs, the things where we get a service and don't actually care how it happens. We'll have less control over our security. I can't call Google up and say, "Hey, I got a new security. I want you to do this." They'll laugh at me. I have to trust their security. So, security will exist. It has to exist; it's not going away. But I think what changes is who we are all working for and how it works.
More resources on information security issues
Watch Ernie Hayden discuss ICS SCADA security issues
Read Marcus Ranum's and Gary McGraw's views on software security issues
Learn about BYOD security issues
And the industry, as we mature, will look a lot more like the automobile industry, whether you like it or not. Security and safety features are packeted in easily consumable cars, which we buy. And there are lots of conferences out there where Auto Tech is discussed. We're just not invited to them. So, I think security will look a lot more like that in the next--I don't know if it's five years--but that kind of thing is coming.
Marcus Ranum: I think we're already heading there; and actually, your analogy that Auto Tech may be what the future of security looks like, I think, is a really good one. Because when you take your car in nowadays, the guy goes, "Ah, that little electronic wibblefrats [SP] right there is going to cost you $600." And then, the guy buys a new one and snaps it in and then you go, "That cost me $600?" Yeah, well, I did know where to snap it in, and that's what you paid for. And then, the little wibblefrats is made by one company, and it's the only place in the world that's actually understand how it works, and you're not the person who understands how it works.
So, part of where I see all of this stuff going is that the security practitioner of the day is largely going to be gone. The guys like me, and so forth who used to go around and build a log management solution in an afternoon because we needed to do something to manage our logs--we're going to be gone. We're going to be replaced with what; a 2U high rack mount system and a 1U high rack mount system. So, that's where I'm going. I'm going to be two little red boxes in a rack some place.
Bruce Schneier: In India.
Marcus Ranum: In India. Run by somebody who you have to trust because you have no choice but to trust that person. And that's the place where I'm concerned and where I think security, as Bruce says, is going to always have a place at the table because it's still going to be your responsibility to understand where your data is and who's got it.
The question is, are you going to have any control over it, right? Who will you call when you want to call someone at Google and say, "Where's my data"; or you want to call that guy at the data center, wherever it's cheapest in five years, and go, "Why is my data on eBay?" They'll go, "You know, our service-level agreement said we could sell it." That's going to happen, right? And so, the security practitioner is no longer going to be the person who knows how to bash out some beautiful C code to handle log compression at 150:1 compression ratios. It's going to have to be somebody who can parse a legal document, talk to a lawyer, and spend a tremendous amount of time on the telephone.
Bruce Schneier: And this is not unusual. You think about tax preparation. If your taxes are wrong, you pay the fine; you go to jail, even though your accountant might have made the mistake and you didn't know about it. So, we are used to this. It might not be good. We might not like it, but outsourcing expertise without outsourcing the liability for that expertise is not a new thing in our society.
Marcus Ranum: We already are compliance specialists, and we used to be compliance specialists. So, I don't think that this is anything new. It used to be that people would come in and they'd say, "Well you know, you're doing something with the system logs." And we'd go, "Yeah, we're doing something with the system logs" and they would believe us. Now, what's happened is that for too long that process went on, when people went, "Yeah, we're doing it; we've got a firewall," and they didn't.
And what's happened is that we've been caught too many times lying and saying, "Yeah, we did things right"; or worse yet, trusting our software engineers when they said, "Yeah, we took care of it." And so, now we're being held to a higher standard of accountability because all of our BS has come home to roost. And I think that's really what's happening is that we're going to become very involved in compliance because we screwed up for the last 20 years. And I think it's going to get a whole lot worse.
The reason I think it's going to get a whole lot worse is, repeat after me, compliance doesn't actually do anything for your security. It's just a paper exercise. If you actually secure your systems, then you're doing something for security. And so, what I'm afraid is going to happen is that this whole big push towards compliance is going to be like the homeland security thing, where we basically have a huge bonfire of money, and then people go, "Well, that was fun; now what?"
Bruce Schneier: Yeah, I have very mixed views on compliance. Anyone who is involved in security law knows that it's really hard to get you guys to buy security. And it happens again and again. Whatever the security thing is, it's hard to get people to care enough about security to buy the thing to do the thing. And over the years in the industry, we've tried a whole lot of tricks to get you to buy stuff. The trick that seemed to work, the only one so far, is compliance. I mean it's not that you want the security, but, oh, compliance. We have to be in compliance. It's a check. And Marcus is right. Compliance never got anybody security, but except by accident.
So, we have noticed all through the industry that security is improving, as companies care more about compliance. It's an incredibly [inaudible 06:23] process, because compliance costs a lot of money churning in itself, doing nothing, but sort of as a by-product. Some security is dealt with, right? Compliance will include log management, so it might include that thing. It'll include a lot of other things. So, I think, yeah, we're going to do a lot of compliance, because that's what your bosses care about. And they care that you are in compliance. That's what matters. If we get some security along the way, great; I'm happy. But your bosses are really only going to be happy if you are in compliance.
Marcus Ranum: Of course, what I'm afraid is going to happen is the boss is going to say, "Well, the compliance check list says you need a log management solution." So, I buy the 2U high and 1U high rack mount machines, and I stick them in a rack and I turn them on and never look at them. I'm now in compliance.
Bruce Schneier: This is exactly what happened with firewalls. You needed a firewall, so the firewalls that have succeeded in the marketplace were not the good ones, were not the ones that worked best. They were the ones that were simplest to plug in and turn on, and not think about. And because that's how you get a firewall at the lowest possible cost and effort. And it'll be the same thing for every other security device and service. So, what we hope is it'll improve things, but it won't be as much as we think. But even so, this is still the best thing we've got right now.
Marcus Ranum: And this is why what Bruce said really depresses me. Because, basically, every time we talk he says, you know, your whole career that you've spent trying to actually build good stuff was completely wasted.