DERN: Is company spending on security increasing? How much more — or less — would be enough (or at least better)?
BRUCE SCHNEIER: Those are good questions to ask, but difficult ones to answer. The problem is that we really don’t have good data on either security spending or security effectiveness. My guess is that we’re spending about the right amount of money, but that we’re spending it wrong. We overspend in some areas and under-spend in others.
DERN: How do top companies make the “where to spend?” decisions?
SCHNEIER: Companies spend money where regulation requires it, of course. And they spend money where auditors tell them to, because compliance is a big deal in business. Otherwise, they spend it based on anecdotal evidence: What they believe industry “best practices” are, what they think will help, and what they think they can get away with avoiding.
DERN: So, why are we still under-spending or misappropriating security dollars?
SCHNEIER: We simply don’t know how to spend money effectively on security. There’s also a psychological bias at work: we tend to grossly exaggerate and overspend on the uncommon and spectacular risks, while we under-spend and downplay the common risks. And this is not just IT. This type of mindset affects everyone in all walks of life.
DERN: IT security breaches have, of course, been headline news over the past few years, including the recent U.S. Office of Personnel Management (OPM) records breach, the Sony email, Target, etc. Is IT simply not paying enough attention to known vulnerabilities?
SCHNEIER: IT has long paid attention to known vulnerabilities. In a sense, that’s that easiest part of security. We’re still not good at it, of course, but the security path is pretty straightforward. I think we need to pay attention to the whole process.
Security is a mix of prevention, detection and response. Prevention is the easiest to focus on, and it’s where we first saw mass-market security products and services. Detection came next. Now it’s Response’s turn. When you look at all of those breaches you mention, and many of the others in the news as well, the failures were more of detection and response than of prevention.
DERN: One way of looking at security is that it enables companies to do things they otherwise couldn’t. For example, securing BYOD use of public Wi-Fi, encrypting media before employees leave the premises, providing VPNs for safe(r) mobile access — is this IT argument gaining traction? Can security costs be spun as contributing to RCO, TCO, etc.?
SCHNEIER: It’s hard. Security is infrastructure, like power or your desk. And while infrastructure enables companies do to things they otherwise couldn’t, it’s difficult to claim that a desk contributes to RCO or TCO. Companies have tried over the decades, but it just doesn’t make sense to potential customers or investors. Power and phone and IT security are considered to be costs. I think we just have to accept that.
DERN: Where is IT succeeding in getting budget for security measures?
SCHNEIER: Compliance is probably the best tool we have to get IT security budget. It’s kind of amazing. You’d think that trying to prevent a massive security breach would be incentive enough, but turns out that executives are willing to take the chance. Failing an audit, however, is a big deal.