This week, as part of our new “Infosec Influencer” series, I had the pleasure of sitting down with Bruce Schneier, an internationally renowned security technologist and one of The State of Security’s Top Influencers in Security You Should Be Following in 2015. He has written 12 books, including Liars and Outliers: Enabling the Trust Society Needs to Thrive, not to mention published hundreds of articles and essays. His blog has is read by over 250,000 people, and he is regularly quoted by the press. Additionally, he regularly testifies before Congress and is an advisory board member for EFF and EPIC, among other organizations.
David Bisson: What made you decide to get into the field of information security?
Bruce Schneier: I have always been interested in cryptography and have long pursued it as a hobby. I got into the field almost by accident though. I was writing freelance computer articles for a living and found that I enjoyed writing cryptography articles for the magazine Dr. Dobb’s Journal. My first book, Applied Cryptography, came from that. I basically wrote the modern cryptography book I wanted to read. After that, it just snowballed. I am a generalist: what I think of as a meta-meta-meta guy. So after cryptography, I started writing about computer and network security, then security technology in general, then the economics and psychology of security, and now both the sociology and politics of security.
Along the way, I founded Counterpane Internet Security, Inc., a company that focused on managed security monitoring. And now I am the CTO at Resilient Systems, Inc., a company that makes incident response management software.
DB: Why did you go on to become a cryptographer and then a security blogger? What are the challenges/successes associated with these paths?
BS: The paths I chose are very different. The first is math, and the second is writing. Most people who are good at one are not very good at the other. But there’s huge value in being good at both: the world needs technical people who can explain things to a non-technical audience. So many of the major problems our society faces have a technical aspect, and there is such broad mistrust of science in parts of our society today. The more we can counter that, the better off we’re all going to be.
DB: What is your biggest mistake, and what have you learned from it?
BS: This is going to sound weird and arrogant, but I don’t think I’ve made any big mistakes. Or, at least, no mistakes that stand out in my mind. Everyone makes mistakes, and I think the most important thing is to be resilient and agile so they don’t become big.
DB: How do you feel the security industry has changed since you first started in the field?
BS: It’s matured enormously. It’s kind of obvious for me to say that, since my first cryptography article appeared almost 25 years ago. And the security industry has grown alongside the Internet. But here’s a change that I have been thinking a lot about recently. The 1990s was the decade of prevention: all security products tried to prevent bad things from happening. Antivirus, firewalls, and so on. Of course that wasn’t enough, and the 2000s was the decade of detection. The prevention products didn’t go away, but we added things like IDSs and log monitoring services. This decade, the 2010s, is the decade of response. We’ve finally recognized that prevention and detection aren’t enough and that an organization needs to invest just as much in response. When I go to conferences these days, this is the most interesting area of security technology innovation I see.
DB: What is the most pressing threat facing computer users today? Do you have any recommendations for how users can protect themselves?
BS: I think the most pressing threat comes from legal uses of our data. Because so much of our lives involve computers, we generate an enormous amount of data about ourselves and our actions every day. Both corporations and governments are collecting that data and using it for their own ends. I think this is a huge threat and one that we’re not going to easily mitigate. The solutions largely aren’t technical; they’re legal and political.
DB: What would you recommend to someone who is looking at a career in information security?
BS: Do it. It’s a fun career, and there are huge demands for skilled people in every aspect of the field. Pick the specialization that interests you the most, and do it. And then when another specialization interests you more, change.
To read the first installment of our “Infosec Influencers” series, please read Parts 1 and 2 by clicking here and here, respectively.