More on security from Bruce Schneier (all entries on this topic here). Having discussed the role of culture and human nature, we turn to technology and prevention.

Know It All: What about brute force, tech-driven hacking, the kind of thing you see in movies -- who wins that arms race?

Bruce Schneier: It's a question of tactics, and on any given week, one might better the other. Deciding who, at the time of writing, is ahead, isn't really relevant. The bad guys have an objective, and they will take the easiest path. If the easiest path is tricking a secretary, then they'll do that. If the easiest path is a new vulnerability in Windows Vista that hasn't been patched yet, they'll do that. Figuring out which one they're going to do today tells you nothing about what they're going to do tomorrow. Like the TSA, we need to spend more effort on the general threat than focusing on what particular tactic is in vogue this week.

Schneier: Mostly it's crime, the thing we have to worry about the most is criminals. Hacking changed from a hobbyist pursuit to a criminal pursuit. Criminals have gone international, they've gone up-market, they've gotten much more professional.

Crime takes several flavors. The common one is what we call identity theft, which is basically fraud through impersonation. But we see attacking and owning of computers, sending of spam for commercial purposes, or for denial of service extortion. We're seeing more and more of that, it's still primarily targeted against fringe industries - online gambling, online porn - and fringe markets, like companies in the Caribbean, but it's rapidly growing. The question to ask is, if you are a large criminal organization, and you have control over 100,000 computers, how could you make money with them. And you end up with the things that criminals are now doing.

Schneier: The details of the structure matter less than the fact that senior management cares, and that there is communication among these various people. I don't care whether the CIO or the CSO is running IT security, as long as the two of them will talk. I don't care if the CSO is under the finance people or under the IT people, as long as when something happens he can talk to the right people. Where exactly the lines are drawn matters little or none.

What's important is to understand that IT security is part of security, and those are part of governance, and those are part of making the company profitable, and people have to make a bunch of hard tradeoffs. You have to decide whether more security is good or bad - it's good for security, but it could be bad for business. The decisions have to be made at a high enough level that you can make them intelligently, and that's far more important than exactly where things are connected.