Q&A

Bruce Schneier Q&A: The Endless Broadening of Security

For Bruce Schneier, the security discipline still evolves and expands. Now he's the one trying to expand it.

By Scott Berinato

June 02, 2008 — In September 2003, CSO published a groundbreaking interview with security guru Bruce Schneier. At the time, Schneier was evolving from cryptographer to general security thinker. An emerging generation of Internet criminals and the new realities of a post-9/11 world were fueling his ideas beyond information security to the broader realm where technology and the physical world interacted. He was beginning to see security as a social science. "Real security means making hard choices," Schneier said at the time. It's one of his favorite interviews, and one of ours, too.

Now, nearly five years later, we wanted to find out how Schneier's views on security have evolved since then. Of course his views have changed—Schneier is not one to let his ideas settle into complacency. For Schneier, who is Chief Security Technology Officer of BT, security keeps getting broader, more general, more related to every aspect of our lives. Security, which started for him as fixed equations used for hiding digital data, has become nothing less than the fundamental catalyst for all human behavior. "I have come to believe that security is fundamentally about people," he says.

With this endless broadening of security has come an endless broadening of ambition. Schneier is launching launch the Workshop on Security and Human Behavior—an effort to bring together the brightest thinkers from any number of disciplines: Economists, technologists, psychologists, even poets will be there. The goal is no less than to launch a new academic discipline.

CSO spoke with Schneier about this effort, his impressions of how security's changed over the past five years, and the highly sophisticated risk management practiced by lima beans.

CSO: Five years ago, we published The Evolution of a Cryptographer about how your views on security had changed. Let's start there again. How have your views changed since then?

Schneier: My career seems to be an endless series of generalizations. First cryptography, then computer and network security, then general security—airlines, ID cards, terrorism, and so on—more recently security economics, and now the psychology of security.

This evolution reflects my continuing search for broader contexts by which to understand security. I started out in the details of the technology, but have come to believe that security is primarily about people—and that understanding the people is more important than understanding the technology. Because if we get the economic or psychological motivations wrong, it doesn't matter how good our technology is; it's not going to be used.

CSO: In other words, the fact that, technically, something should be secured has little to do with whether it will be secured?

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development