Dubai: Online security, server crashes, disaster recovery, data theft, cyber crime... these are just some of the challenges faced by businesses worldwide.
How does one handle them? The solution lies with the information technology departments and their heads — usually chief technology officers. Bruce Schneier is one such person.
Schneier was in Dubai for the recent World Economic Forum summit, where he participated in discussions on the future of the internet.
Quite unlike some of his peers, Schneier is refreshingly candid, forthright and humorous when discussing cyber security.
In an exclusive interview with Gulf News, Schneier explains why everyone in the corporate world needs to know about security in order to survive and be competitive. Excerpts:
Gulf News: Are companies budgeting the right amount for security?
Bruce Schneier: Frankly speaking, no. Security should play a key role in the IT policies of any given business, and it should be factored into the budget, with strategies and processes decided upon with full awareness of both risks and issues.
Risks get bigger as programmes and applications get better. With the number of security vulnerabilities and breaches increasing, it is vital that one learns how to manage these vulnerabilities and protect data in this networked world.
Are there no quick fixes to digital security?
No, security will obviously be a requirement as long as there are threats. The industry is secure and has a future, but it will be different from the present state. This means that the users' security may be placed in the hands of the providers of IT products as a whole, rather than kept as their own responsibility.
We have certainly not reached a stage where users do not have to worry about security. They should still take measures to protect themselves. I do not believe we will reach that stage in our lifetime.
Cloud computing is in the news. A lot of the discussions focus on what cloud computing actually is?
Cloud computing is an ongoing reality. Whether you like it or not and even if it creates a risk on security, it is happening.
Cloud computing is a dynamically scalable service offered over the internet, whether it is software as a service, or platform as a service, or infrastructure as a service, or a combination of all these.
It is like placing your data on someone else's hard disk. More and more companies are moving on to cloud. Whatever cloud computing is, the security issues and conversations around it are nothing new.
Do these increased cloud computing services equate to a bigger security risk?
There are concerns associated whenever you trust someone else, so whether it is your data or something else, you need to trust someone. One of the problems we have is with transparency, and this is not only with cloud computing, this applies to anything.
Well, you know, you lose control when somebody else writes your operating system. It's just a matter of degree, right? If you want control, you have to build your own hardware, write your own operating system. It's just another step along that line.
I mean, how much control do you have when Microsoft controls your Excel and Word files? Control is all about understanding who is doing what and where the responsibilities lie.
So how can the problem of security and privacy be addressed?
It always boils down to trust and transparency. The best practice is to trust the service provider. There are concerns associated whenever you trust someone else, so whether it is with your data or something else, you need to trust someone.
I can't call my bank and say that I need extra protection for my account. It is impossible. Same way, does anyone know what operating system Google uses? Does anyone care?" Even if you ask them, do you think you will get an answer? There are reasons for this. In a short span of time, IT has become like a utility.
Like many utilities, there is a certain element of taking things for granted on the part of the users.
Technology seems to be helping the bad guys and terrorists more. For instance, the Mumbai attacks. Isn't a concern?
According to officials investigating the Mumbai attacks, terrorists used Google Earth to help find their way around.
Criminals have used telephones and mobile phones since they were invented. Terrorists use aircraft and boats, radios and satellite phones... the Mumbai terrorists used boats as well. But they also wore boots. They drank bottled water, breathed the air and ate at restaurants before carrying out their attack in Mumbai.
Criminals using cloud computing will rise. But so what? Infrastructure is used by people to do good things and bad things.
So cloud computing won't generate different types of internet attacks?
That's a different question entirely. Of course, it will. Everything done will generate different types of attacks. Cloud computing will generate different types of attacks.
But not adopting cloud computing will generate different types of attacks. New and different types of attacks will always be generated and that will never stop, at least not in the foreseeable future.
New complexities will bring new risks. This will always be true.
Are there any lessons for chief information officers here?
When it comes to security, you have to act against crime, fraud and hackers. It is real and it is happening. They have to act according to the situation.
Profile: security expert
Bruce Schneier is the chief technology officer in charge of security at British Telecom.
He is the author of around eight books on computer network security and cryptography with a focus on the IT industry.
Schneier has testified on security before the US Congress on several occasions
He has written articles and opinion edits for major publications.
He is described by The Economist as a ‘security guru'.