Review: “Schneier on Security”, for IT Professionals

Allow me to get this out of the way first, I’m not a book reviewer, as I’m sure will be evident from reading this post. However I do work in IT, and I do deal with security issues, which makes me one of the potential target audiences for Bruce Schneier’s latest book. If you don’t know who Schneier is, this description from his website sums it up well:

Schneier is an internationally renowned security technologist and author. Described by The Economist as a security guru… best known as a refreshingly candid and lucid security critic“. He is also the Chief Security Technology Officer of the BT Group.

I received a copy of Schneier on Security several weeks ago, and have read with interest since then his opinions on security. The book is a collection of previously published blog posts and print & newsletter articles written by Bruce over the past few years, so if you’ve been a regular reader of his work this may be nothing new for you.

A recent review of the book on PC Pro makes the claim that Schneier’s “high-level, populist approach … means little in this book will be of practical use to professionals“. I disagree with that statement. There is much in the book that does not pertain to information security, and Schneier’s vantage point on security is certainly from a 30,000 foot view; I won’t argue those points. However, the real value of this book is gaining an insight into the mindset of one of the best security practitioners in the industry. So much of what is done in the name of security is done almost mindlessly without consideration of whether or not it truly improves security, part of what Schneier terms “security theater“. The utility of this book for the average IT professional is in the opportunity to adopt that security mindset, seeing security and vulnerability from a different perspective, and not just adopting a policy because a white paper labels it a best practice, but examining it from an analytical perspective.

As mentioned, there are topics that don’t pertain directly to InfoSec. In the book you’ll find articles on terrorism, airline security, personal privacy, government abuse of power, psychology, etc. As you read these essays though, you’ll begin to see how certain points made could apply to the InfoSec world, and you’ll find yourself starting to rethink your perception of security. Some of Schneier’s main themes throughout the book, security being about trade offs, and security being more a feeling than a reality, are strikingly obvious yet often overlooked. You likely won’t agree with all of the opinions (running open wireless as Bruce claims he does at home? Definitely not.), but I believe that most in the IT field would find this book eye opening and one of the better non-technical security books around.

This book is not for you if you’re looking for a step-by-step guide or specific list of best practices. However, if you’re an IT professional with anything more than a passing interest in information security, I highly recommend picking up this book and/or becoming a regular reader of Schneier’s.

Related Links:

Schneier on Security Blog

Crypto-Gram Newsletter

Subscribe to TechScrawl via RSS

Advertisements

4 Responses

  1. […] Review of “Schneier on Security” – I like Bruce Schneier, but I’ve most likely read almost every article in this book when it originally came out.  So why would I spend money to read them again in paper form?  YMMV […]

  2. […] Review of “Schneier on Security” – I like Bruce Schneier, but I’ve most likely read almost every article in this book when it originally came out.  So why would I spend money to read them again in paper form?  YMMV […]

  3. We saw something like this in our corner of Michigan recently.

    Can’t wait all these XP systems to start needing upgrades.

    Thanks for the post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: