Editor's Blog: Should everybody be a security company?

silicon.com editor-at-large Will Sturgeon is blogging from the InfoSecurity show at London Olympia.

I've just caught up with acclaimed 'security guru' and self-confessed "media slut" Bruce Schneier. He is now an employee of BT though it seems a job at such a monolith has done nothing to dampen his enthusiasm or tendency for the controversial.

Schneier spoke out about the relevance of an event like InfoSec, branding its very existence "a problem". His issue isn't with the show per se or the way it is organised but with the obvious suggestion it makes that security should be viewed in isolation as some kind of standalone silo. Should we really be buying applications to secure applications? Shouldn't the original app just be secure in the first place? It's a good question and I'll write more about this later today.

Schneier's words echo those of Lord Broers, the chair of the House of Lords science and technology committee. Speaking yesterday, Broers said: "Too much responsibility is placed on end users and not the people best-placed to manage risks."

The "best people" to take responsibility for security are those writing applications or running websites, he said.

The good news is more companies are employing penetration testing on their websites, according to Peter Wood on the First Base Technologies stand. Chatting at the end of day one, Wood told me it's that side of his company's offering that most passers-by are showing interest in.

And in a roundabout way the realisation that everybody needs to ship secure struck me yesterday.

During lunch I found myself working at a table with three journalists apparently obsessed with a wearying comparison of the freebies they had managed to nab from the stands on the show floor. This it would seem is their only measure of whether a trade show is worth attending or not.

"What are these?" asks one as he turns out his pockets. "Oh it's a box of mints, I think." He then asks his colleague where (rather than 'why?' which would have been my question) he had picked up a stuffed toy fox.

"I missed the breakfast," bemoaned another lest he be missed out of this most interesting of conversations.

"I wouldn't hang around, there's only two trays of sandwiches," advised the third returning from the lunch buffet with an analysis of the meagre freebies on offer.

However, delegates don't always get things their own way at such lunches and the organisers of the show's press centre had offered up the captive audience of journalists as a sponsored slot to IBM's ISS division. Cue the sales pitch (how much kit did this guy really think he was going to sell to a room full of journalists?).

"There's no such thing as a free lunch..." he began (which is true in my case as I bought a sandwich in Pret).

"IBM is a leading security company," he continued. And here's why: "In many companies eight per cent of an IT budget will be spent on security," he said.

Opportunity breeds interest and that is no doubt why IBM is fast-positioning itself more as a security company. Most notable among three acquisitions made by IBM in the past year was ISS itself - an acquisition Schneier said "looked insane" at first glance until he realised companies - even those the size of IBM - are slowly waking up to the need to ship secure products.