Our Process-Centric Future: According to Bruce Schneier
"Security is a process, not a product that you actually have to do."
Gutsy Staff | June 25, 2024
Nearly a quarter century ago, renowned cybersecurity leader Bruce Schneier published a column titled “The Process of Security,” which outlined - what was at the time - a novel approach to the emerging cyber threats focused on building, testing, and revising organizational processes.
Schneier remains on the cutting edge of cybersecurity, serving not only as an advisor for Gutsy, but also as the chief of security architecture at Inrupt, the company founded by Sir Tim Berners-Lee to create a more authentic and secure internet. He writes frequently on a wide variety of topics and is an acclaimed expert in cryptography.
During an interview with Gutsy CTO John Morello, Schneier discussed the modern state of cybersecurity, how it is changing, how to build processes, and how technology impacts security.
Here are eight key takeaways from that interview.
Security is Still All About Process
"The process of security is continual."
In 2000, Schneier emphasized that security requires continuous effort and a combination of protection, detection, and response mechanisms. This concept, that security is a process, not a product, has become a cornerstone in modern cybersecurity strategies, where ongoing vigilance and adaptation are essential.
Schneier explains how security has become even more about process, with organizations needing a process not just for rote and repeat tasks but for Black Swan events to ensure better response and preparation for the outliers.
Security processes are now widely recognized as essential. Organizations have moved from merely installing products to managing complex services and processes. Schneier observed, "We are much more sophisticated in process today. Now the challenge is getting the processes to work together, getting the processes to be responsive." This integration is crucial for a cohesive security posture.
Trust is More Critical Than Ever for Security Performance
Creating trust is paramount for security leaders. Cybersecurity teams are more effective when they trust their leaders. Company boards and executives also need to trust their CISOs.
Trustworthiness is built through honesty, transparency, and data-backed arguments.
Schneier highlighted, "The best way to create trust is to be trustworthy. Be honest, have data, have good arguments." This principle extends to choosing trustworthy vendors and service providers, as organizations increasingly rely on external services for their IT and security needs. With attacks increasingly focused on the software and technology supply chain, trust is even more critical because you are only as good as the security of others in your supply chain.
More Regulated Cybersecurity Means Starker Consequences
One of the most significant changes in the cybersecurity landscape is the increasing role of regulation. In the past three years, regulations on cybersecurity processes, planning, and disclosure of breaches have accelerated across multiple industries.
New regulations such as the European Union’s Cyber Resilience Act and the U.S. Security and Exchange Commission’s new strict disclosure rules are already forcing cybersecurity teams to behave differently. Schneier discussed the balance between allowing freedom for innovation and imposing necessary restrictions to protect public safety.
"We're moving from a world where everything is possible to a world where your options are limited... you get it wrong, and the results can be catastrophic."
This is why, in part, CISOs today are even facing personal liability for bad outcomes.
AI as a Double-Edged Sword for Cybersecurity
Artificial Intelligence (AI) represents both a significant opportunity and a formidable challenge for cybersecurity. Schneier expressed concerns about the inherent biases in AI systems and their potential misuse during our interview.
The dual nature of AI means that it can be a powerful tool for security and a potent weapon for adversaries.
CISOs are already deploying AI and LLMs to improve security processes and as a mechanism to improve incident response and analysis. With so many powerful AI models in the public domain, it’s a matter of time before these systems work their way into the technology arsenals of attackers and bad actors.
The Importance of Documentation and Auditing
Effective security processes require thorough documentation and regular auditing. What’s more, this is a separate discipline within cybersecurity.
"Having processes, having robust processes... testing them, auditing them, improving... that's its own separate cycle."
Schneier pointed out that regular audits ensure that processes are not only in place but are functioning as intended and evolving with new threats.
Overcoming Resource Constraints
Despite the advancements in security processes, many organizations still struggle with resource constraints, and would prefer to optimize their existing security investments than spend more money on more tools.
"A lot of organizations don't have the resources, the time, the ability, the manpower..."
Schneier notes this ongoing challenge requires strategic planning and prioritization to implement critical security measures effectively. That resource constraints remain a problem considering the strong growth of cybersecurity spending and headcount, demonstrates the tremendous scope of the problem.
Strategic Use of Security Metrics to Guide Decisions
"The more you can go to the board or management with data... that's really important."
Schneier emphasized the importance of using data and metrics to support security decisions. Quantitative metrics provide a clear picture of security posture and help justify investments in security initiatives and changes in security headcount or programs.
While data and metrics are deployed in every significant cybersecurity team to measure and monitor performance and risk, CISOs must create different metrics to communicate to board and management areas where more resources are required and how programs are performing over the long run.
Building Resilience Through Processes
"Processes give you the ability to run those hypotheticals and to answer those questions."
Finally, Schneier underscored the importance of building resilience through well-defined processes. He said, A process-centric approach enables organizations to anticipate, prepare for, and respond to security incidents more effectively. Mapping security processes and converting them into actionable data and intelligence allows companies to visualize how they work and devise plans to improve resilience through improved processes.
Schneier’s Basic Rules of Cybersecurity
Schneier's timeless insights underscore both the continuity and the changes in cybersecurity practice and governance:
- The shift from product-centric to process-centric security
- The critical role of trust
- The balancing act of regulation
- The dual-edged sword of AI
- The ongoing challenges of resource constraints and rapid technological change
These all shape cybersecurity's current and future landscape. Schneier's reflections offer valuable lessons: prioritize robust processes, build and maintain trust, advocate for sensible regulation, stay ahead of AI-driven threats, and champion the strategic use of data and metrics. Above all, focus on security processes — managing processes, visualizing processes, refining processes, and leveraging processes to get the most out of all security controls and headcount.
Security remains a process — albeit more complicated, but still a process.
Learn more
[Interview Video Series] Bruce Schneier: Gutsy Advisor