Schneier: 'We shouldn't need a security industry'

Outspoken author and security guru Bruce Schneier has questioned the very existence of the security industry, suggesting it merely indicates the willingness of other technology companies to ship insecure software and hardware.

Speaking to silicon.com at the InfoSec show at London Olympia this week - a leading trade show for the security industry - Schneier said: "The fact this show even exists is a problem. You should not have to come to this show ever.

"We shouldn't have to come and find a company to secure our email. Email should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure."

Schneier, CTO at Counterpane, said his own company was bought by BT last year because the network realised the need for security to be a part of any service, not an add-on at additional cost and inconvenience to the user.

His words echoed those of Lord Broers, chair of the House of Lords science and technology committee, who suggested every company - from operating system and application vendors to ISPs - needs to take greater responsibility for the security of end users.

Schneier said: "Security is a small but important piece of the bigger picture," adding consumers shouldn't accept any product that is inherently insecure.

However, Graham Cluley, senior technology consultant at Sophos, suggested Schneier's dream is a long way from reality. "Why didn't everybody think about this sooner?" he said. "It would be great."

Cluley added: "It would be great if robberies didn't happen and if road accidents didn't happen and if I didn't stub my toe but what you have to realise is that software developers are human and humans make mistakes.

"I can't imagine there ever being a 100 per cent secure operating system because a vital component of programming that operating system is human."

Speaking to silicon.com, Jon Collins, service director at analyst house Freeform Dynamics, expressed his own doubts about the value of the security industry but said it will always be fed by dual forces of end-user error and the shipping of insecure products.

He said: "I always used to think the security industry existed to make people scared and then sell them something to protect them from what they were afraid of. But now I think it exists because of what people are prepared to buy," adding that security investment tends to be reactive to a problem a company has already suffered - making security a "fire extinguisher industry".

But Collins added it's not true to suggest user reaction is always due to inherently insecure software or hardware. "Even if everything was secured the end user would still find a way to configure it wrong or install it wrong or enable the wrong privileges and permissions," he said.