Should security companies be regulated?

Security experts are fiercely divided on the issue of regulation, with one respected industry figure insisting the IT security market must be regulated as tightly as airlines or pharmaceutical companies.

Bruce Schneier, CTO of Counterpane, told silicon.com legislators must force security companies to accept regulation. "Capitalism is not altruistic. Microsoft is not in the business of being a charity and that's why its software is buggy," said Schneier, who claimed companies choose time-to-market and cost savings over security.

Schneier argued governments must therefore make the decision for the vendors and require software companies to comply with regulation – creating a financial disincentive, such as an inability to trade or litigation, if they do not.

He said: "As soon as you make it in a company's best interest they will find a way to do it."

But Schneier and other advocates of regulation face fierce opposition from within the industry.

Speaking during a heated session at the RSA Conference Europe, Harris Miller, president of the Information Technology Association of America, said regulation would be a trade-off with innovation.

He said: "Creativity is lost when governments start telling you what to do. The idea of government getting involved is very scary to me."

But that suggestion is "disingenuous" according to Michael Colao, director of information security at Dresdner Kleinwort Wasserstein. "Innovation and regulation are not mutually exclusive," he said. However, he added: "Regulation is going to cost more than it saves if it is not done well and I don't believe it will be done well."

One such example of regulation is the UK's Central Sponsor for Information Assurance (CSIA), part of the Cabinet Office, which now offers a Claims Tested mark for companies who want to prove their product 'does what it says on the tin'.

Dr Steve Marsh, director at the CSIA, told silicon.com: "We need to make sure users can make informed choices."

However, the certification is not mandatory. In terms of encouraging companies to sign up, Marsh said: "What we would hope is that in due course areas of the public sector would say: 'We're only going to use applications which carry this mark'."

If enough public sector bodies refuse to deal with firms who do not achieve the CCT mark, Marsh is confident vendors will pay up and sign up.

Stuart Okin, associate partner at Accenture and former UK head of security at Microsoft, said such a stance from the public sector would be "very powerful". But he too warned: "You have to be very, very careful that you don't stifle innovation."

However, Counterpane's Schneier said: "Unfettered innovation is not necessarily a good thing.

"We've already decided that unfettered innovation isn't good in the pharmaceuticals industry. There are a lot of drugs which aren't available, because some of them will kill you.

"And if you go to the airport the customer can't walk up to the planes and examine them and make an informed decision on which airline is the safest. We have to rely upon regulation to be our expert by proxy."

Schneier said it is inevitable the security industry will become bound by similarly tight regulation and he expects Europe to lead the charge.

Dresdner's Colao added: "I think regulation is a really, really bad thing. And I think it is coming."