🎉 Exciting news! Coalition has acquired Wirespeed to accelerate cybersecurity for all.

Read more
Cover for Our Influences: Bruce Schneier
Tim MalcomVetter avatar

Tim MalcomVetter

Co-Founder / CEO

Our Influences: Bruce Schneier

I honestly cannot remember when I first read Bruce’s writings, but it was probably “back in the late 1900s” (to quote the great Nate Bargatze).

Back then, Cryptography was an early attraction for many of us into what we called “network security” or “computer security” and eventually “information security” (years before “cyber” was taken seriously as a name). People interested in this topic were reading Applied Cryptography, one of Bruce’s early books.

Just like Dan Geer’s talks, I kept several of Bruce’s recorded talks in MP3 format in my iPod Nano, plugged into the fancy aux port of my Kia Spectra:

A KIA Spectra hatchback similar to Tim's Best feature this KIA Spectra had: an AUX port

Back in those days, driving around in that Kia, I wrongfully believed perfect security was possible, if you just got the recipe of components right: strong authentication, patched systems, correct firewall rules, that sort of thing. But that was wrong—and I’m pretty sure I figured that out before I moved on from that Kia. It may have come from the preface of his subsequent book, Secrets and Lies, where he said this right in the preface:

I have written this book partly to correct a mistake.

Seven years ago I wrote another book: Applied Cryptography. In it I described a mathematical uptopia: algorithms that would keep your deepest secrets safe for millennia, protocols that could perform the most fantastical electronic interactions—unregulated gambling, undetectable authentication, anonymous cash—safely and securely. In my vision cryptography was the great technological equalizer…

It’s just not true. Cryptography can’t do any of that … Cryptography doesn’t exist in a vacuum.

Cryptography is a branch of mathematics… Mathematics is perfect; reality is subjective. Mathematics is defined; computers are ornery. Mathematics is logical; people are erratic, capricious, and barely comprehensible…

I started repeated a couple of sentiments you’ll find throughout this book:

“Security is a chain; it’s only as secure as the weakest link.”

“Security is a process, not a product.”

We could spend thousands of words (and basically Bruce did in that book and the ones that followed—read them all!) on breaking down just that book preface (and that’s just an excerpt of it!). But let’s just hone in on that last line.

#Security is a Process, Not a Product

Apple iPod Nano

I didn’t realize how ironic that quote would be for Wirespeed. We are both a PROCESS and a PRODUCT. Or to put it another way: our product is a very well oiled, highly-automated, very repeatable, and constantly monitored process. The process is so important to us we use conditional logic to implement it, rather than outsource it to unpredictable AI. It wasn’t an intentional channeling of Bruce’s brain; it was the subtle influence that has been there a long time.

#Early Founder in Security Monitoring

With an often-quoted adage like “Security is a Process, not a Product,” of course this next turn would make sense: Bruce founded Counterpane Internet Security, Inc. back in 1999, one of the first managed security services providers (MSSPs).

While not the first MSSP (likely the third by my research, the other two started within a year of Counterpane), the novelty in 1999 was that security experts were building product companies, not service companies, or as Bruce likely saw it: process companies.

Taking a vendor neutral approach and performing monitoring was new. I can only imagine how much more difficult it would have been in 1999, with less tools, less common/open shared data formats, and very few detection products. It was the wild west! Fortunately, in 2024, when we founded Wirespeed, the economics and tech were much different. Our ability to triage is likely 100x to 1000x faster than Counterpane’s was (which was obviously state of the art at that time!) and our per employee pricing model is drastically cheaper.

As an aside, from the little pricing data I can dig up today, more than 20 years later, their prices are not all that different per user than most of the current big players, i.e. there hasn’t been much of a shake-up until now, until Wirespeed. Providers have been adding more and more costs with more and more data even as some of their costs go down.

#A Great Security Predictor

Bruce made many predictions that came true. To the modern reader, they’re likely not as interesting today, because they seem obvious now, but back when he made them, he was often the lone voice. We cited one of this predictions from twenty years ago that MFA (Multi-Factor Authentication) would not prevent account take-overs.

Another prediction he made, that is starting to shape up now, twenty-five years later, is the influence of insurance on cybersecurity. Bruce made this prediction before the United States Congress in 2021:

Eventually, the insurance industry will subsume the computer security industry. Not that insurance companies will start marketing security products, but rather that the kind of firewall you use-along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use-will be strongly influenced by the constraints of insurance.

#Be like Bruce

The guy who spent so much of his early career attempting to prevent security problems through crypto and authentication mechanisms came to realize it was better to expect security systems to fail … but find it fast through monitoring to make the failure meaningless, just like Dan Geer did.

Many others of us have had our own, perhaps smaller version of that; changing focus from prevention to detection & response. I was once a pentester; pentesting is attempting to find all the failure points before they’re exploited, therefore, they’re a prevention control. Moving into red team work changed all of that forever to focus on the reality that bad things will happen, leaving two questions: 1) Can you know when that happens? and 2) What can you do about it?

Detection & Response is where cybersecurity becomes real. Everything else is just preparation for the theoretical.

Thank you, Bruce, for your contributions and influence!

Want to see Bruce Schneier’s influence in action? Want to learn more about how Wirespeed can make security painless for you? Contact us or start a FREE TRIAL today.