When the organizers of the just-concluded Black Hat USA conference wanted to explore incident response, they turned to Bruce Schneier, the cryptographer, author, blogger and cybersecurity expert, to make a presentation. Until recently, however, Schneier's name wouldn't be on most people's list of incident response experts.
Schneier's reputation, after all, was built on his keen observations of the influence of IT security on society and vice versa, as well as bringing to light the previously unknown, such as the National Security Agency's tampering with cryptography guidance from the National Institute of Standards and Technology (see NIST to Drop Crypto Algorithm from Guidance).
The thing about incident response is it is not cyber, it's crisis management.
But since the beginning of the year, Schneier has been serving as chief technology officer of 4-year-old Co3 Systems, which provides automated incident response systems. He served as a company adviser for about a year before joining the startup.
Schneier's Black Hat session, "The State of Incident Response," explored the economic and psychological forces that affect incident response as a business and technical activity. After the session, I caught up with him, and we discussed where automated incident response offerings, such as those offered by Co3 Systems and others, are heading in the coming years.
"The thing about incident response is it is not cyber, it's crisis management," Schneier says. "I think there is a lot we're going to learn from the non-computer people. Co3 right now does cybersecurity. There's nothing about the system that makes it non-applicable to general PR crises, to weather crises like hurricanes, to all sorts of incidents. As we move our product into the other spheres, we're going to learn a lot that we can teach IT."
Automated incident response technologies being used in fields beyond cybersecurity and data breaches represent a trend in which the virtual and kinetic are converging. It's not just with technologies, but with the way organizations operate. Enterprises can't function unless they have information systems, and those systems must be secure for organizations to achieve their goals. We're already seeing dual purpose technologies; tools to authenticate users to access sensitive data on a corporate server are employed to authenticate employees to access buildings, for instance.
Bruce Schneier on incident response mistakes.
Similarly, assessing information risk is becoming a critical component of overall corporate risk management. Organizations can't function effectively if their IT systems are at risk.
Schneier's pondering that Co3 Systems and its competitors may soon market the same wares to automate the response to a breach or a hurricane or a public-relations disaster is one more example of the convergence of the digital and the physical.