"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology"
About this Quote
Schneier’s line is a slap at a recurring techno-fantasy: the belief that you can buy (or code) your way out of risk. It works because it refuses the comforting frame in which “security” is a product feature and “technology” is a neutral upgrade. Instead, it treats security as a messy, adversarial relationship between people, incentives, and systems - where attackers adapt, users misconfigure, and organizations quietly prioritize convenience until something breaks.
The first “you don’t understand” targets the problem space. Security failures rarely come from a lack of tools; they come from misplaced trust, bad threat models, and human behavior under pressure. A company that installs new authentication but ignores phishing training, incident response, or internal access policies is solving the wrong problem: not “how do we add tech,” but “where are we actually vulnerable, and why?”
The second “you don’t understand the technology” is even sharper: tech isn’t magic, it’s tradeoffs. Every new layer adds complexity, and complexity is fertile ground for bugs, misconfigurations, and false confidence. The subtext is classic Schneier: cryptography can be mathematically elegant while the real-world system around it is a leaky, improvized contraption of legacy software, rushed deployments, and perverse incentives.
Context matters: Schneier’s career sits in the long hangover from “security as a checkbox” thinking, where vendors promise certainty and executives want absolution. This quote denies absolution. It insists security is governance, design, and ongoing skepticism - with technology as one tool, not the savior.
The first “you don’t understand” targets the problem space. Security failures rarely come from a lack of tools; they come from misplaced trust, bad threat models, and human behavior under pressure. A company that installs new authentication but ignores phishing training, incident response, or internal access policies is solving the wrong problem: not “how do we add tech,” but “where are we actually vulnerable, and why?”
The second “you don’t understand the technology” is even sharper: tech isn’t magic, it’s tradeoffs. Every new layer adds complexity, and complexity is fertile ground for bugs, misconfigurations, and false confidence. The subtext is classic Schneier: cryptography can be mathematically elegant while the real-world system around it is a leaky, improvized contraption of legacy software, rushed deployments, and perverse incentives.
Context matters: Schneier’s career sits in the long hangover from “security as a checkbox” thinking, where vendors promise certainty and executives want absolution. This quote denies absolution. It insists security is governance, design, and ongoing skepticism - with technology as one tool, not the savior.
Quote Details
| Topic | Privacy & Cybersecurity |
|---|
More Quotes by Bruce
Add to List
