May 22 2026

The One Security Book That Got Louder With Every Passing Year

Category: cyber security,Information Security,Security Awarenessdisc7 @ 11:05 am

The One Security Book That Got Louder With Every Passing Year

Why Click Here to Kill Everybody by Bruce Schneier belongs on every CISO’s, CAIO’s, and board director’s shelf — in that order

There are security books you read once and shelve. And then there is Bruce Schneier’s Click Here to Kill Everybody, which somehow becomes more relevant every quarter you wait to read it.

Schneier wrote it in 2018. Re-read it in 2026 and you will swear he had a working time machine.

If you are a security or AI governance leader and this book is not already dog-eared on your desk, this post is your nudge. Here is why I keep buying copies for clients, board members, and skeptical CFOs.

The thesis, in one sentence

When every “thing” becomes a computer — your car, your insulin pump, your factory floor, your municipal water system, and now your AI agents — every security flaw becomes a safety flaw.

That sounds obvious until you sit with it. Then it becomes terrifying.

Schneier coined the term “Internet+” to describe the merger of the digital and physical worlds. The internet used to steal your data. The Internet+ can steal your data, crash your car, shut off your pacemaker, and disrupt your power grid. Same vulnerabilities. Vastly different consequences.

This is not hypothetical. It is the world we have already built. Schneier just had the courage — and the receipts — to name it first.

Why this book hits harder in the age of AI

Here is the part that should land for anyone working in AI governance right now.

Schneier’s core argument is about the capability-consequence gap: we deployed connectivity faster than we deployed the governance, accountability, and policy machinery needed to manage its consequences.

Sound familiar?

Replace “IoT” with “generative AI” and “Internet+” with “agentic AI workflows,” and you are reading the playbook for the next five years of enterprise risk. The same market failures Schneier diagnosed — externalized costs, opaque supply chains, asymmetry between attackers and defenders, vendors who treat security as somebody else’s problem — are all reappearing in AI procurement decks today.

If you are implementing ISO 42001, building an AI risk program, or sitting in a room arguing about model approval workflows, this book gives you the moral and economic vocabulary you have been missing.

What you actually get when you read it

This is not a 400-page lecture. Schneier writes like an engineer who learned to talk to lawyers and then learned to talk to everyone else. The book is structured to be useful to three very different readers:

For the technical reader, it is a clear-eyed inventory of why secure-by-default is so hard at scale, why patching is broken, and why software liability has been ducked for thirty years.

For the policy reader, it is one of the most coherent arguments ever published for why cybersecurity is a public-policy problem, not a private one — and what regulation that actually works might look like.

For the executive reader, it is the most useful translation layer you will find between “our threat model” and “our fiduciary duty.” Hand it to a board member who keeps asking why the company can’t just buy a tool to fix this.

The five ideas you will quote for the rest of your career

Without spoiling the book, here are the frames I borrow from Schneier almost weekly with clients:

  1. Security is a property of systems, not products. You cannot bolt it on at the end. (Try telling that to a vendor selling “AI safety” as a feature flag.)
  2. Cheap, networked, and insecure beats expensive and safe — every time — until policy changes the math.
  3. The attacker only has to be right once. The defender has to be right always. Asymmetry is the entire game.
  4. Markets do not fix safety problems. They never have. Aviation, pharmaceuticals, automobiles, food — every safety regime was paid for in bodies before it was paid for in regulation.
  5. Resilience beats prevention. Build systems that fail well, because they will fail.

If any of those land hard, you are ready for the book.

Who this book is for (and who it really is not)

Read it if you are:

  • A CISO trying to articulate cyber-physical risk to a board that still thinks “cyber” means email phishing.
  • A Chief AI Officer or vCAIO building governance for systems whose blast radius extends into the physical and economic world.
  • An auditor, consultant, or implementer working on ISO 27001, ISO 42001, NIST CSF, or the EU AI Act — and looking for the why behind the controls.
  • A founder shipping connected hardware or AI agents who would rather understand the coming regulation than be surprised by it.
  • A policymaker, journalist, or director who wants one book that explains the whole landscape without dumbing it down.

Skip it if you are: looking for tactical hardening checklists or a CISSP study guide. This is a strategy book, not a runbook.

My honest take after twenty years in the trenches

I have spent two decades implementing security and governance programs across KPMG, IBM, Intel/McAfee, and now in my own practice — most recently as lead implementer for one of the first ISO 42001 certifications in the financial-data-room space. I have read every framework worth reading and most of the ones that are not.

Click Here to Kill Everybody is one of a very small number of books I re-read every year. Not because the technology stays the same — it absolutely does not — but because the frame Schneier built has aged better than almost any framework I have audited against.

The risks have gotten bigger. The systems have gotten more connected. The governance still lags. Schneier saw it. Read what he wrote.

Get the book

You can find Click Here to Kill Everybody: Security and Survival in a Hyper-connected World by Bruce Schneier wherever you buy books. Hardcover, paperback, audiobook — all worth it. The audiobook is particularly good for a commute or a long flight if you spend your day reading PDFs already.

If you want to discuss how the ideas in this book translate into a working AI governance and ISO 42001 program for your organization — including the parts Schneier could only gesture at in 2018 — that is exactly the work we do at DISC InfoSec.

info@deurainfosec.com

Financial data rooms are the “hard mode” of compliance — if it works there, it works anywhere.

Disc is the Principal Consultant at DISC InfoSec, a boutique AI governance and cybersecurity firm and PECB Authorized Training Partner for ISO 27001 and ISO 42001. He served as lead implementer and internal auditor for ShareVault’s recent ISO 42001 certification.

The AI Governance Quick-Start: Defensible in 10 Days, Not 4 Quarters

DISC InfoSec is an active ISO 42001 implementer and PECB Authorized Training Partner specializing in AI governance for B2B SaaS and financial services organizations.

AI Attack Surface ScoreCard

AI Vulnerability Scorecard: Discover Your AI Attack Surface Before Attackers Do

Your Shadow AI Problem Has a Name-And Now It Has a Score

Most AI Security Tools Won’t Pass an Audit. Here’s a 15-Minute Way to Find Out.

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative

Schedule a consultation or drop a note below: info@deurainfosec.com

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: Bruce Schneier

Feb 16 2025

Almost a decade after Data and Goliath, Bruce Schneier declares: Privacy is still in jeopardy.

Category: Information Privacydisc7 @ 10:31 pm

In a recent interview with The Register, renowned cryptographer and privacy advocate Bruce Schneier reflected on the decade since his seminal work, Data and Goliath, was published. He observed that both governmental and corporate surveillance have not only persisted but intensified over the years. Despite minor legislative adjustments, agencies like the NSA continue their extensive data collection practices unabated. Simultaneously, tech giants and data brokers have expanded their data harvesting operations, capitalizing on the proliferation of cloud computing and Internet-of-Things (IoT) devices.

Schneier highlighted the growing pervasiveness of surveillance tools in everyday life. The widespread adoption of IoT devices and the ubiquitous presence of smartphones have created an environment where individuals are under constant observation. This reality has led to an erosion of personal privacy, as more data is collected, stored, and analyzed than ever before. The convenience offered by modern technology often comes at the cost of personal data security, a trade-off that many users are either unaware of or feel powerless to challenge.

Addressing the role of government in protecting privacy, Schneier emphasized the necessity for comprehensive privacy legislation aimed at regulating mass surveillance. However, he expressed skepticism about the likelihood of significant federal action in the United States. While some progress has been made internationally, such as the European Union’s General Data Protection Regulation (GDPR), and at the state level within the U.S., these measures are often fragmented and insufficient to address the overarching issues of data exploitation and privacy invasion.

Schneier also discussed the ethical implications of current data practices. He predicted that, in the future, society will look back on today’s data exploitation methods with the same moral condemnation currently directed at historical labor abuses, such as sweatshops. This perspective suggests a growing awareness and potential shift in societal norms regarding privacy and data rights. As public consciousness evolves, there may be increased pressure on both corporations and governments to adopt more ethical data practices.

Reflecting on technological advancements, Schneier noted that the integration of sophisticated surveillance capabilities into everyday devices has outpaced the development of corresponding privacy protections. The rapid evolution of technology has made it increasingly difficult for existing legal frameworks to keep up, resulting in a landscape where personal data is more vulnerable than ever. This disconnect highlights the urgent need for adaptive policies that can respond to the fast-paced nature of technological innovation.

In conclusion, Schneier’s insights underscore a pressing need for a reevaluation of how personal data is collected, used, and protected. Without significant changes in both policy and public awareness, the trajectory points toward a future where privacy is continually compromised. Schneier’s call to action serves as a reminder that safeguarding privacy requires collective effort from individuals, corporations, and governments alike.

For further details, access the interview here

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Bruce Schneier, Data and Goliath

Jan 06 2011

Security 2020: Reduce Security Risks This Decade

Category: Information SecurityDISC @ 10:59 am

 

Security 2020: Reduce Security Risks This Decade

Identify real security risks and skip the hype. After years of focusing on IT security, we find that hackers are as active and effective as ever. This book gives application developers, networking and security professionals, those that create standards, and CIOs a straightforward look at the reality of today’s IT security and a sobering forecast of what to expect in the next decade. It debunks the media hype and unnecessary concerns while focusing on the knowledge you need to combat and prioritize the actual risks of today and beyond.

IT security needs are constantly evolving; this guide examines what history has taught us and predicts future concerns
Points out the differences between artificial concerns and solutions and the very real threats to new technology, with startling real-world scenarios
Provides knowledge needed to cope with emerging dangers and offers opinions and input from more than 20 noteworthy CIOs and business executives
Gives you insight to not only what these industry experts believe, but also what over 20 of their peers believe and predict as well

With a foreword by security expert Bruce Schneier, Security 2020: Reduce Security Risks This Decade supplies a roadmap to real IT security for the coming decade and beyond.

Order this book for advice on how to reduce IT security risks on emerging threats to your business in coming years. Security 2020: Reduce Security Risks This Decade

From the Back Cover
Learn what’s real, what’s hype, and what you can do about it
For decades, security experts and their IT peers have battled the black hats. Yet the threats are as prolific as ever and more sophisticated. Compliance requirements are evolving rapidly and globalization is creating new technology pressures. Risk mitigation is paramount. What lies ahead?

Doug Howard and Kevin Prince draw upon their vast experience of providing security services to many Fortune-ranked companies, as well as small and medium businesses. Along with their panel of security expert contributors, they offer real-world experience that provides a perspective on security past, present, and future. Some risk scenarios may surprise you. Some may embody fears you have already considered. But all will help you make tomorrow’s IT world a little more secure than today’s.

Over 50 industry experts weigh in with their thoughts

Review the history of security breaches

Explore likely future threats, including social networking concerns and doppelganger attacks

Understand the threat to Unified Communication and Collaboration (UCC) technologies

Consider the impact of an attack on the global financial system

Look at the expected evolution of intrusion detection systems, network access control, and related safeguards

Learn to combat the risks inherent in mobile devices and cloud computing

Study 11 chilling and highly possible scenarios that might happen in the future

Related articles




Tags: Bruce Schneier, Computer security, Consultants, Doug Howard, Intrusion detection system, Kevin Prince, Security, United States