I’m a big fan of Gary McGraw’s Silver Bullet Security podcast. Last week I listened to episode 9 which featured an interview with Bruce Schneier (of whom I am also a big fan).
I was a bit taken back when Bruce said that, in today’s world, “security is all about technology.” To be fair, he did qualify that statement by noting that a broad social, physiological, and economic background which will always play a part – but, in my mind, he minimized that aspect.
Here is the context: at 3min 34sec into the podcast, Gary McGraw made reference to the transition from “guns, dogs, and concrete” to more technological security infrastructures. With that background, he asked, “do the future security people of the world need to be technologists, do you think?”
Bruce Schneier’s reply was:
I think security is all about technology. There are definitely fundamental social and economic issues; there are ways of looking at the world that let you see the big-picture: to see how attacks work, how defenses work, what sorts of countermeasures there are. But once you get past that board picture and that broad analysis, it’s all about technology. And whether you’re looking at home security or computer security or airport security, you’re looking at technology and how technologies work; how they fail – the details of technologies are vital. So while you need the big-picture, non-technological perspective, you need to apply that into the technologies because everything now is technological.
While I don’t fully disagree with Bruce’s statement, I feel that it could be misleading. Everything is now technological, but I believe that very fact increases the importance of developing a “security mindset.” We’ve seen security technologies which are not necessarily secure; vulnerabilities have been found in anti-virus software, IDS/IPS systems, and so on. Even when the big-picture perspective is applied into technologies, a loop must exist which will allow that perspective to be re-applied as we gain further insight into how the technologies may be used/misused, what their failings are, and what tactics/countermeasures may have been lacking the first time around. As much as I hate to make the allusion to a Capability Maturity Model (CMM) , something similar must exist for security in which the big-picture strategists and the in-the-trenches technologists can interact and improve upon security solutions in an iterative fashion.
So, I guess that I’m looking through the prism at a slightly different angle than Bruce. My opinion is that, yes, the technologies are becoming increasingly critical to the protection of our infrastructures; but that makes it even more important for us to really think through the ways that the technologies can fail or be misused.
Read Dan Verton’s book the Insider where he says that technology will be necessary to prevent insider breaches and protect users from themselves.
Rob Lewis
December 19th, 2006