Schneier certainly knows his way around such questions. He is the founder of Counterpane Internet Security, a global provider of outsourced security monitoring services. With a suite of services -- including firewall and IDS device management, vulnerability scanning and consulting -- Counterpane monitors security on more than 400 networks in 32 countries.
Recently, CIO Update asked Schneier to turn some of his book's wisdom into advice for CIOs.
Q: As you point out in Beyond Fear, a better understanding of trade-offs leads to a better understanding of security. How can CIOs help other chief executives understand that network security must be balanced against what companies are willing to give up in money, time, convenience, flexibility and privacy?
SCHNEIER: I'm not sure they have to. CEOs naturally understand business risks and trade-offs. They're constantly trying to balance the needs of various departments -- sales, marketing, engineering -- with each other, with the needs of the investors and with the realities of the marketplace. Security is simply another thing that needs to be balanced. Simply describing security trade-offs in this language is usually enough to add them to the mix.
How can a CIO best estimate the cost of a potential network attack in order to decide what resources to dedicate to preventing such an attack?
Accurate statistical data is hard to come by, but CIOs need to estimate the value of their information assets -- as they would any corporate asset -- and determine the potential loss to the company if they are stolen, publicized, or simply made unavailable. Losses are myriad, and include both direct financial loss and more intangible things like reputation and goodwill. Most security companies have ROI tools that can be used to estimate risks and mitigation costs.
When does a CIO know he or she needs outside help with security?
I would hope a CIO would realize that the day he's hired. Security is a specialized discipline, and not something a random computer person can learn in his spare time. Just as a CIO hires an outside firm to do his payroll, prepare his taxes, and provide legal advice, a CIO needs to hire an outside security company for security expertise.
In Beyond Fear, you say technology will continue to alter the balance between attacker and defender at an ever-increasing pace. If it's already difficult for CIOs to keep up with existing threats, what hope will they have of keeping up within three years time? Within five years?
The only way is to put pressure on vendors. Unfortunately, the problem is not one that CIOs can solve within the confines of their own organization. All they can do is buy products that are as secure as possible, and buy security products to handle the residual problems. Unfortunately, vendors of computers, operating systems, and applications don't provide the level of security that CIOs require.
In your book you also point out that complexity is security's worst enemy. How does a CIO know when his network security plan has gotten too complex?
All network security plans are too complex; it's the nature of the beast. Networks are complex, and network requirements are complex. This is the core reason why computers and networks are so insecure. There's really no way for a CIO to change that; fixing the problem would require fundamental changes in how we build and use computers. But a CIO has to realize that the complexity of his systems does limit his ability to secure them, and plan accordingly.
Is it a common mistake for CIOs to set a security plan and then think that security is taken care of? What advice can you offer to keep CIOs on their toes and help them to realize that, as you say, security is like a never-ending game in which the defenders can never afford to rest?
I've been saying, "Security is a process, not a product," since I formed Counterpane. To me it's obvious, as it is to anyone who's tried to deal with the problem. I think CIOs either understand that or they don't. If they do, they'll begin to understand what it takes to maintain sufficient security in their networks. If they don't, it'll probably take a serious financial loss to convince them.