Thursday 24 April 2008

The Day I met Bruce Schneier at InfoSecuity Europe ‘08

No matter the profession or walk of life we are all in, we all have our heroes and mentors, for some it is the likes of Einstein, Winston Churchill, Lance Armstrong, Tiger Woods or Richard Branson, for others it’s Elvis or Amy Winehouse. For me it’s Bruce Schneier, who first made a name for himself as a predominant cryptography expert in 1960s and in recent times has evolved into a fresh and forward thinking security guru. Sure this proves that I’m geek for sure, but for those who have ever read any of Schneier’s recent books, blog entries or heard him speak will understand where I coming from.

I can’t say I agree with absolutely everything Bruce says, but what grabs me is his unique approach, perspective and understanding of security and the information security industry. Bruce takes a large step back, then cuts out all the politics, security company marketing and associated sales hype, at which point you are left with the bare bones and the questions on what security is really suppose to be about. Which is, what do you want to protect, what are the risks, how will the security solution mitigate those risks, what risks does the security solution introduce and finally what are the costs, inconvenience and trade-offs around the security solution to mitigate the original risk.

As a security professional you have to careful not to fall into the trap and tunnel vision in chasing perfect security and zero risk, because there is simply no such thing as perfect security and zero risk! Then the other side of this coin is to ensure the security is appropriate for the risk, making sure the security cost and trade-offs are viable against mitigating the actual risk of attack. Let me take a “real world” UK example, I sure someone might of raised this one, but in order to reduce the risk another London Underground bombing, we could impose a security counter measure of searching all passengers and their bags prior to them entering the system, like we do at airports. It might reduce the risk of attack, but when thinking about the trade-offs, which is huge passenger inconvenience and high costs in employing extra staff to carry out all the searches, does this make it a worthwhile security solution in relation to the risk? The rational answer is clearly no, as it’s just not viable, and so we continue to accept this risk of terrorist attack. OK, let’s say we went with that security solution, at the end of the day, there still would be a risk of terrorist attack on the London Underground, and the only real way to completely mitigate that is to completely shutdown the underground system!
With business IT Security the same approach should apply, sure there are areas of Law and Industry compliance which must always be followed, but when dealing with security problems outside these areas, I always try to emulate that great Schneier vision, take that step back, making sure the business trades-offs and costs are balanced against the attack risk, it’s not always that easy, the real difficulty is in quantifying elements, especially the attack risk. Fortunately for me, I utilise some of my own methods and practices which I have built up over the years to mitigate typical business risks, while causing minimal security trade offs and cost.

Anyway, yesterday I attended InfoSecurity Europe, and I was chuffed to pieces, as not only did I get to listen to Bruce Schneier talk about the Security Industry, but I got to briefly meet him and I got a signed copy of his latest book, Beyond Fear. Which is a must read not only for Security Professionals, but for anyone in general who wants to understand what security is about without knowing any of the technical jargon. I also recommend signing up to Crypto-Gram Newsletter run by Bruce at http://schneier.com/.

After the doors shut at InfoSecurity (ISC)2 EMEA held an event which I attended. From my perspective as CISSP member, I have to say EMEA (ISC)2 is progressing well under the leadership of John Colley, the event itself is evidence of this. Amongst the (ISC)2 bigwigs at this event, was former White House Cyber Security Advisor and (ISC)2 Security Strategist for (ISC) Prof. Howard A. Schmidt, who was also a keynote speaker at InfoSecurity Europe, again another guy who I can listen to all day. http://www.isc2.org/

Finally I met several guys from the UK Chapter of ISSA (Information System Security Association), I promised that I would sign up and get involved after learning that whey were planning more events in northern England. http://www.issa-uk.org/