Security through responsibility

Security providers are in rude health, unlike security itself. The industry must make itself more accountable if it is to make real progress for its customers

In a week dominated by security stories, two divergent strands refused to be woven together. One was commercial expansion: McAfee raised forecasts on strong results, Microsoft unveiled new research centres in Europe and Asia to flesh out its security push, and a whole host of announcements flowed from the Infosecurity show. All the signs of a robust and growing sector.

And then there was Bruce Schneier. The very existence of Infosecurity got his goat: it shouldn't need to exist, he said, because products shouldn't be so insecure in the first place that they need a security industry at all. His is a Cassandrean voice in the wilderness: Schneier has often been ignored or dismissed by those whose interests he questions, and so it was here. Human nature and computer fallibility make this an impossible dream, said Graeme Cluley of Sophos; it's just what people want, said analysts. There's much more truth in what Schneier says than they'd like to admit.

There is no doubt that the security industry often harms its own interests, through hype, poor software and worse customer service. Too often, the perception is that the vendors' responsibilities end when the software's sold — and that talking up threats is a major part of marketing. Hardware vendors collude in pushing out pre-installed packages that may not be what the customers want, and not being clear about what the customers are getting. And there are no signs of the big security companies making efforts to improve the problems that really need tackling — where are the Symantec-sponsored workshops on writing safer software in the first place?

An interesting analogy is with medicine. Until a scientific approach was established, medicine was a mixture of ad-hoc cures, folklore and quackery. With increasing confidence in rationality and respectability, though, the field became more evidence-based, more formalised and more self-regulating. Doctors were expected not just to cure, but to do so in accordance with moral and practical guidelines that governed their membership of the industry. Education of practitioners and the lay public became paramount. The patients acquired considerable rights and an expectation of control in the process, and of scrupulous honesty.

This is the model the security industry needs to emulate. It needs to establish codes of conduct, an independent body with regulatory powers, metrics for performance and proper disputes procedures. It's rich enough to do this; it merely needs the maturity to accept it.