e has been described variously as a "crypto-pundit", "security guru" and even an "alpha geek in cryptography". The general consensus among those discussing or involved with security technology in the media and the IT industry is that Bruce Schneier is one of the world's leading authorities in his field. As a best-selling author and sought-after critic and media commentator he seeks to demystify the complexities and debunk traditional thinking surrounding security issues.

"The best comment I get from readers is 'You changed the way I think about this'; that's a huge thing," he says. "Ultimately security is a mentality, a way of looking at the world. There's a lot of fear around security issues and if you don't get beyond the fear you won't really deal with what's going on."

His free monthly online newsletter, Crypto-Gram, has over 100,000 readers and is widely quoted in the media. In addition, he is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC) and a Working Group for the US Government Transportation Security Administration (TSA) Secure Flight programme.

Mr. Schneier is also the founder and chief technology officer of Counterpane Internet Security, which provides outsourced security monitoring and response services for corporate and government computer networks. Bermuda-based IT security specialist Quo Vadis is the local representative for Counterpane, and Mr. Schneier was in Bermuda this week speaking with business executives about security issues and as the guest speaker at the Chamber of Commerce's 'Wired Wednesday' event. In his latest book "Beyond Fear" he provides guidance on how to think critically about making security decisions and the trade-offs related to those decisions. He is also the author of "Applied Cryptography", a best-seller on the arcane science of secret codes. Leading business publication Fortune called his second book, "Secrets and Lies", which dealt with computer and network security, "a jewel box of little surprises you can actually use." In "Beyond Fear" he tackles a broad range of risks and security problems, covering everything from personal safety to crime, corporate security to terrorism threats and national security. From a corporate standpoint, in terms of network operations and computer security, the Internet has introduced a whole new level of risk to companies which Mr. Schneier says is particularly important to the financial services industry.

"And it's important from the Bermuda perspective because with the Internet there's no such thing as an island any more; there's a greater risk of exposure to cyber crime from anywhere in the world," he says. "We tend to overplay cyber terrorism over cyber crime in the same way that we tend to be scared of spectacular but rare incidents that threaten our security ? more people die in car crashes every year in the US than in terrorist attacks for example.

But the real risk on the Internet is crime. If you're a bank offering Internet banking, you've now got more to worry about than thieves breaking in to rob the place."

He also says however, that people are the greatest risk to companies: "People are definitely the greatest security threat to companies, whether by malicious acts or through mistakes.

"How do you address that? A combination of assigning different levels of trust to different people.

"You have 'trusted people', those whom you have to trust in order for your security systems to work.

"You try to hire trustworthy people, doing personal background checks and so on.

"You employ compartmentalisation, limiting the amount of information and access given to people depending on their roles within the organisation.

"And you implement defence in depth, protecting security with multiple countermeasures ? such as two or more authorised signatories for company cheques ? so that your systems don't have any single points of weakness or failure."

He says that companies tend to use a combination of all these types of measures in an attempt to prevent security breaches.

"But in network security, as in security generally, prevention only really works with detection and response," he says.

"You could have a safe with the highest level of security rating, making it the most difficult for a criminal to crack.

"No matter how good your safe is, if there's no alarm attached to it that would send people running forget it.

"It's the same for a company's network systems, with all the firewalls and other security features; detection of an incident on the network alone is ineffective, you need some kind of response," he adds.

The managed security services Counterpane provides here in conjunction with Quo Vadis ensures that companies can achieve their desired level of response to any security incidents on their networks. The companies serve a wide variety of Bermuda clients 24 hours a day on networks within the island as well as on the global operations of the multi-nationals based here.

"It's difficult to hire IT security expertise for in house purposes in a market as small as Bermuda, so by outsourcing this function companies here get the benefit of the breadth and depth of an organisation like Counterpane," says Stephen Davidson, head of development at Quo Vadis. "They also use cutting edge technologies to support these services which clients benefit from directly. Last year they identified 16 billion security incidents from their client base."

Mr. Schneier says in his latest book that whilst security is complex it can be broken down into a simple five-step process that individuals and companies can use to analyse and evaluate security systems, technologies and practices. The steps include determining what assets you are trying to protect in order to understand the true scope of your problem; assessing the risks to those assets; determining how well a security solution can mitigate those risks; assessing if the security solution itself may cause other risks; and understanding what costs and trade-offs the security solution might impose on the organisation.

He admits that the questions in each step may seem obvious or trivial at first, "but they help you determine which kinds of security make sense and which don't."

It's a common sense approach, and one that continues to work for him, his company and most importantly, his clients.