"The Process of Security" is an essay published in Information Security Magazine in April 2000, coinciding with the publication of secrets-and-lies. It is one of Schneier's clearest statements of the central argument of that book: that security is not a product but a process, and that framing security as a product to be purchased and installed is the source of most security failures.
The Core Argument
The essay argues that security is better understood as an ongoing activity than as a state that can be achieved. A system is never "secure" in the way that a door is either locked or unlocked; it is more or less resistant to particular attacks in particular contexts, and that resistance must be continuously maintained, evaluated, and updated as the threat environment changes.
This is security-is-a-process in its sharpest formulation. Schneier's target is the security product vendor's implicit claim: buy this firewall, install this antivirus, implement this protocol, and you will have security. That framing, he argues, is not just misleading but dangerous, because it produces organizations that invest in security products and then feel secure, when in reality the products address some threats while creating false confidence about others.
The Vendor-Criticism Dimension
"The Process of Security" has a polemical edge directed at the security industry. Schneier's critique of security theater (fully named in beyond-fear) begins here: he identifies the incentive for security vendors to sell visible, measurable products — firewalls, encryption software, intrusion detection systems — rather than the harder-to-quantify improvements in process, training, monitoring, and response that actually determine security outcomes.
This argument made Schneier an uncomfortable figure in the security industry. As the founder of counterpane-internet-security, he was himself a security vendor; his critique of his own industry's claims was credible precisely because of his standing within it.
Relationship to secrets-and-lies
The essay is essentially a compressed version of the argument of secrets-and-lies, published simultaneously. Its publication in a trade magazine gave the argument a different audience — security practitioners rather than book readers — and its compressed format makes it the most direct statement of the pivot. Readers who want the argument without the book's fuller treatment of threat modeling, human factors, and organizational dynamics should read this essay.
Legacy
"The Process of Security" is widely cited as one of Schneier's most important short essays. It has been reprinted and referenced across security curricula and is considered one of the canonical expressions of the security-is-a-process concept. Its argument that security is a process requiring continuous attention rather than a product requiring only correct installation has become orthodoxy in mature security organizations — a measure of how thoroughly the essay's argument has been absorbed.