Schneier: People more important to security than processes
Security expert says people have to be in charge of security not technology
Staff cannot be taken out of the loop when it comes to incident response during a security breach, according security expert Bruce Schneier.
In a keynote speech at this year's IP Expo in London, the chief technology officer of incidence response vendor Co3 said that technology needs to serve employees and these employees need to be in charge.
He said protection and detection can only go so far and that security breaches were inevitable because users have "lost control of our data as a result of using cloud computing and consumer devices".
This meant that incidence response has come to the fore, as protection is not perfect.
He said that while security was "not a product but a process" in the nineties, it has now become both and the ratios have changed to the point where people don't help with security.
But while he praised the introduction of automatic updates to "get people out the loop", it is difficult to completely eradicate them from the incidence response process.
"You cannot automate incident response. Incident response has to be different because you have intelligent buyers," he said. "It is a fundamentally different process."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Schneier, who is also a Fellow at the Harvard Law School's Berkman Center, said in the security industry, people need to build, make and use tools to get inside what he called the "observe, orient, decide and act loop".
"In incident response this is failing," he added. "We need to do better and we can do better than the hackers and use tools that aid people."
But Schneier added that security was a "lemons' market" like used cars and this made it difficult for buyers to tell good products from bad ones.
He said: "Bad products outnumber good products because the consumer knows less about them than the sellers."
Schneier added that buyers now rely on certifications and awards rather than quality products, and will continue to underspend on security until something bad happens.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.