By Will Sturgeon
Special to CNET News.com
April 26, 2007
LONDON - Outspoken author and security guru Bruce Schneier has
questioned the very existence of the security industry, suggesting it
merely indicates the willingness of other technology companies to ship
insecure software and hardware.
Speaking this week at Infosecurity Europe 2007, a leading trade show for
the security industry, Schneier said, "the fact this show even exists is
a problem. You should not have to come to this show ever."
"We shouldn't have to come and find a company to secure our e-mail.
E-mail should already be secure. We shouldn't have to buy from somebody
to secure our network or servers. Our networks and servers should
already be secure."
Schneier, chief technology officer at BT Counterpane, said his own
company was bought by BT Group last year because the U.K.
telecommunications giant realized the need for security to be part of
any service, not an add-on at additional cost and inconvenience to the
His words echoed those of Lord Alec Broers, chair of the House of Lords
science and technology committee, who suggested every company, from
operating system and application vendors to ISPs, needs to take greater
responsibility for the security of end users.
"Security is a small but important piece of the bigger picture,"
Schneier said. He added that consumers shouldn't accept any product that
is inherently insecure.
However, Graham Cluley, senior technology consultant at Sophos,
suggested Schneier's dream may be a long way from reality. "Why didn't
everybody think about this sooner?" said Cluley. "It would be great."
"It would be great if robberies didn't happen and if road accidents
didn't happen and if I didn't stub my toe," he added. "But what you have
to realize is that software developers are human and humans make
"I can't imagine there ever being a 100 percent secure operating system,
because a vital component of programming that operating system is
Jon Collins, service director at analyst house Freeform Dynamics,
expressed his own doubts about the value of the security industry but
said it will always be fed by dual forces of end-user error and the
shipping of insecure products.
"I always used to think the security industry existed to make people
scared and then sell them something to protect them from what they were
afraid of. But now I think it exists because of what people are prepared
to buy," he said, adding that investment in security products tends to
be reactive to a problem a company has already suffered, making security
a "fire extinguisher industry."
But Collins added that it is not true to suggest that user reaction is
always due to inherently insecure software or hardware.
"Even if everything was secured, the end user would still find a way to
configure it wrong or install it wrong or enable the wrong privileges
and permissions," he said.
Will Sturgeon of Silicon.com reported from London.
Copyright 1995-2007 CNET Networks, Inc. All rights reserved.
Subscribe to InfoSec News