Home » Topics » Cybersecurity » Processes the key to security – Schneier

Processes the key to security – Schneier

Avatar photoby Ben Rossi

5 November 2003 Security specialists should think less about technology and more about processes, according to IT security expert Bruce Schneier.

“Security has never been a technology problem, it’s always been a people problem,” said Schneier, the chief technology officer of Counterpane Internet Security. All security involves trade-offs in terms of cost and convenience and can also have knock-on effects that may undermine the original security measure, he added.

 
 
 

Furthermore, security systems that successfully keep out attackers can also fail because they lock out or inconvenience legitimate users. “An ATM [automated teller machine] that shuts out one in 100 legitimate users will never be deployed… firewall rule sets get turned off because of complaints from legitimate users,” he said.

As a result, “the security measures people take have very little to do with security,” said Schneier.

At the same time, organisations will adopt security measures that are in their best interests. For example, banks rarely examine the signatures on cheques because it is cheaper for the bank to leave it to account holders to check their own bank statements.

Schneier, a respected cryptographer and author of a number of books on computer security, was speaking at the RSA Security conference in Amsterdam. His thinking on security has shifted from the purely technical to a higher, more organisational level because, he believes, it is often the implementation of security systems that determine how effective they are, rather than the pure technology.

Schneier suggests that organisations ought to work through a five-point process to evaluate what it is they want to protect, how it can best do that and what the likely consequences of that action might be:

  • What assets are you trying to protect?
  • What are the risks against them?
  • How well do the proposed counter-measures defend against the risks?
  • What other security problems are the counter-measures likely to cause?
  • What are the costs of the counter-measures?

Schneier’s latest book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, was written in response to security measures introduced following the 11 September 2001 terrorist attacks on New York and Washington.

Schneier suggests that many of these measures, such as the introduction of identity cards in the UK and some of the security measures in place at US airports, are ineffective because they have not been properly thought through.

The idea was to take the principles of good security to a wider audience and to demonstrate that they are essentially the same, regardless of whether they are implemented in the ‘virtual’ world or the real world. “I wanted to write a book that my mother could understand… She’s read it and she likes it,” said Schneier.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise