Bruce Schneier on outsourcing, awareness training

At 2009's Information Security Decisions conference, security expert Bruce Schneier sat down to answer some of readers' security questions, which range from the trustworthiness of outsourced security services to the usefulness of awareness training in securing new technologies.

About the speaker:
Bruce Schneier is the Chief Security Technology Officer of BT Group.

Read the full transcript from this video below:  

Bruce Schneier on outsourcing, awareness training

Mike Mimoso: I am Mike Mimoso and joining me today is Bruce Schneier and we're going to be talking about a variety of security topics today.

Thanks for joining me, Bruce.

Bruce Schneier: Thanks you for having me.

Mike Mimoso: Our first question is around the economy and the slow recovery that we're in right now. As you look back at the last 12 to 15 months, how do you think that the industry has responded to the recession, in terms of their security programs?

Bruce Schneier: Security is one of the discretionary things that goes when a company faces hard times. Anything that doesn't affect the bottom line tomorrow, it is something you can delay for later. So we found over the last couple of years a lot less spending in security because you're better off taking the chance than spending the money you don't have. If you spend the money, you'll be dead as a company anyway.

We're seeing a lot of underinvestment in security. It's a mistake. In economic hard times, the threats greater and companies really have to remain vigilant. I think that we will find, as the turnaround starts and companies have more discretionary money and are looking more towards the long term and not just at the next quarter, that we'll see more spending on security, and it'll catch up to where the threat is.

Mike Mimoso: What security segments do you expect to spike or surge once we're in a full blown recovery?

Bruce Schneier: I think it's going spike and surge everywhere. I don't think I'd look at any particular aspect of security. And a lot of it is compliance. A lot of it is dealing with customer information. Looking at the new way corporate networks are arranged with a lot of end user devices that the company doesn't have control over, Blackberrys and cell phones and employee-owned laptops. You'll see a lot of security dealing with effectively a hostile network inside the company.

You'll see a lot of dealing with customers and partners. With so many applications now, where people you don't trust have access to your network. And, of course, the Malware threat and denial of service threat. These are all still a big deal, there's a lot of fraud out there, so there'll be more spending dealing with that.

Mike Mimoso: I see you mention compliance. What are companies doing to get past this notion of compliance equals security? It's definitely a falsehood but a lot of programs are governed by this thinking.

How can companies get around that?

Bruce Schneier: Companies don't have to get around the fact that compliance equals security because for them compliance equals security. This is the problem we have in security. Companies, a lot of them, don't really care about security and we've spent years trying to convince them that a threat is bad, that security is important, that they have to secure their data, their customer's data. They're willing to take the chance and under spend in security. Compliance is the only stick we found that works, and not because companies care about security, because they care about compliance.

I don't think we'll ever get around companies believing compliance equals security. It's our job to design the compliance measures so that it's true.

Mike Mimoso: How difficult is that? That's a huge challenge.

Bruce Schneier: It's hard. You spend a lot of time on compliance's compliance. So compliance is kind of a loss-y way to get to security, because you spend money on auditors, on the paperwork of compliance. Some of it goes into security. We've seen a lot more secure networks since compliance regulations have come into place.

But it's sloppy and you can write the regulations better. This is hard. A lot of it is open to interpretation so we're seeing improvement but I think we're stuck with this sort of loss-y system.

Mike Mimoso: Let's talk about the move towards security services, in particular some of the benefits and challenges but, more importantly, what security services do you think will make the most sense?

Bruce Shneier: In the end, all of IT will be of service. It really is a function of the nascence of our industry that users care about technology at all or that it matters what your CPU is and what protocols they're using.

That's all going away. People are using Gmail, they're using Facebook, Google docs. These applications, the technical details don't matter or they just don't care about how it works. What does matter, in all of these service applications, is trust. You have to trust Google that they won't lose your mail; they won't expose your mail to other people. You have to trust them.

You have to trust Facebook or Blackberry that they'll route your email. There's a lot here because we have to trust their security even though we don't know it. We have to deal with international boundaries. What does it mean if my data goes to India? What does it mean if I'm a bank and my data leaves my country?

So we have to deal with all those but those are all basically trust issues. And it's the same as any mature industry. IT is young. Computers are so young that we have to deal with technology. And we're getting to the point where we don't. Where it's all going to be trust and reputation and the things you expect out of a mature industry.

And this is going to be hard. I mean, we're in a very weird transition point where I would be, as a company, scared to outsource a lot of my things because I don't trust any people. But that's going to change. As outsourcing comes more important, becomes more the norm, companies will do things to demonstrate their trust.

You can imagine some outsourcing companies saying we now have an U.S. only version of this service, or an E.U. only version of this service just to service those countries. And that's going to happen as this whole thing matures.

Mike Mimoso: I have a career related question. What are some of the big opportunities out there for security professionals right now to exploit in terms of career movement?

Bruce Schneier: I think there's always going to be demand for IT security professionals. There's always going to be a huge demand because the demand is driven by the threat, more than anything else. As long as the criminals are out there, as long as fraud is out there, as long as hackers are out there, there's going to be demand for computer security professionals.

The question to ask is who is going to hire them? Because as we move to more of an outsourcing model, a lot of these expertise is going to start centralizing. So I think there are opportunities everywhere. I think that people are interested in IT security should follow the specialization that interests them the most. And the jobs will be there because they're driven by the threat.

Mike Mimoso: But the old paradigm of that generalist is kind of gone.

Bruce Schneier: There'll still be a need for generalists and there always will be. Unfortunately, in our society, generalists tend to be under-appreciated and underpaid. You make money as a specialist.

I actually like generalists. I think they are fantastic. But these days if you want to advance in anything, you want to specialize.

Mike Mimoso: As social media and mobile devices become more prevalent in the enterprise, what steps do security professionals need to take to fortify programs around these two initiatives?

Bruce Schneier: I think we have a serious problem that corporate data leaks out of the corporate network. Whether it's on somebody's Blackberry or their cell phone or their home computer, this happens and I don't think we can stop it. I don't think we can go to an employee and say you can't read your email on your home computer. He is going to try to figure out a way around it.

This trend is called consumerization. It sort of a lousy buzz word but it basically means that the cool, new technology is available to consumer markets first. And what that means is your new employees, who spent college using the cool stuff; they're not going to go back to some old computer, an old network when they join your company. And your CEO, who buys the cool stuff because he can afford it, won't be able to be told you can't get to the network on your cool new toy.

So we are stuck with this. It makes security harder. It means we lose control of a lot of our information and the only way to deal with this is through policy, through awareness, teaching people that if you're going to connect to our network in your device, you have to follow these sorts of rules. And it might be just that the corporate email that you get through some web interface is hard to move onto another platform. Of course, you can always cut and paste, you can't stop it but you make it hard enough so it's not the normal way of people operating.

Think about Facebook; a lot of data on Facebook. And nothing stops people from cutting and pasting and putting it on their own computer but no one really does that because it's not the easy way to get at it. I think that's going to be the paradigm for corporate networks. You make the easy way to connect on whatever device you have into our network, our data, or whatever and that's what people will do.

But the security challenges are considerable.

Mike Mimoso: Right. So, in a related question, do security awareness programs really add value?

Bruce Schneier: I'm very mixed on awareness programs. People who say educate the users, I'm convinced, has never met an actual user. There's really a limit to what you can do in awareness programs.

With that being said, I think it's really important to make people aware of what the threat is and teaching people to know what a phishing attempt looks like or what a hacked website looks like and know what they should and shouldn't put in email or on a webform or how to look at a URL. A lot of stuff that we, as security professionals, as smart IT people, sort of know intuitively that more naive computer users like my mother or an average person or employee who's not a techie is going to approach it very differently.

I think awareness works if it is the right sort of awareness. I don't think you can teach people how to look at an SSL Certificate. They'll never do anything but click OK or Accept whenever they get that dumb dialog box. But you can teach people to be a little bit more savvy and whether that has to be done in a corporate setting, in a school setting or just sort of by being on the net, I think we need to do that. And in fact the younger generation is more savvy about threats than the older generation is. Older people are terrified of stalkers on the net. Ask any teenagers, they can tell if someone is pretending to be a teenager. They know the difference. They're not stupid.

Mike Mimoso: One of the toughest parts of the security professional's job is around metrics. What are some of the security metrics that make the most sense in order to help them prove that their security programs work?

Bruce Schneier: And this is hard. What are the metrics? How often you're successfully attacked is really the metric that matters. How much money you've lost due to fraud is the metric that matters. These are unfortunately kind of dire metrics. You want to connect something a little less severe but it's hard because number of attacks is not really a metric. That shows you how bad the world is, not how bad your network is.

This is why we like things like compliance, that metrics often don't tell you a good story. What you want in an SLA, let's say if you're outsourcing your email to some company, is performance. Have you ever had a compromise and, if so, what was the magnitude and whose fault it was? That's an important metric.

But these aren't performance characteristics. So, performance metrics are easy. How fast it is? What the latency is? How many things you can do per second? You can do performance metrics but when it comes to security and safety and reliability, all those sort of why requirements, the ones that are not performance related, metrics are hard.

Mike Mimoso: I have a question around third party security. Would the public not be better served with a Government mandate requiring companies to establish multi-factor authentication for accounts that deal with any kind of financial data or other sensitive data?

Bruce Schneier: I think we would do a lot better as a society if Government would mandate security in some instances. Be careful about requesting Government to mandate a solution.

So, in the question you asked, should Government mandate two factor authentication? No. The Government should mandate that personal information be secured and the penalties are severe and, once you do that, the market now takes over.

Capitalism is really good at figuring out how, they're terrible at what. So you tell the market what and they'll figure out how. And if two factor authentication works, they should do that, and if something else works, they should do that. If they invent something new and it works, they should do that. And if between now and five years later something new is invented, then we should do that.

Don't write laws that tell how, write laws that tell what. But yes, I think we would do a lot better in our society if the Government would mandate privacy in our transaction records, in our accounts, with severe penalties, because the problem we have is a market failure, that there isn't a market impetus to install the security countermeasures.

Mike Mimoso: A last question, Bruce. Do you think that traditional security controls, like Firewalls and IDS and proxy servers, do you think they're going to become a thing of the past as security moves toward implementing controls at the bit or data level?

Bruce Schneier: I think all security would be a combination of things and data level security, information level security, every transaction security, whatever they're going to call those things is important but I don't think they'll take the place of network level security like Firewall and IDS's or anti-virus. I think none of them will be perfect so we're going to need both.

It would be wonderful if true, perfect security would emerge at the bit level, at the data level. That's not going to happen in our lifetimes. So we should expect for the foreseeable future, a combination of many security measures overlapping, redundant and hopefully not failing at the same time.

Mike Mimoso: Great and thanks for joining me today, Bruce.

Bruce Schneier: Thanks for having me.

Mike Mimoso: And thanks for watching. My name is Mike Mimoso and, for more security news and advice, please go to

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.