Companies must stop treating IT security in isolation from other business processes, according to Bruce Schneier founder of Counterpane and keynote speaker at next week's RSA Conference.

Schneier warns that our approach to hackers and online fraud is often based on the false premise that it's a mysterious new phenomenon.

He urges businesses to think about IT security like they do every other aspect of crime prevention. If you want to understand the dangers look at the threat to your bottom line, don't fall for the hype about IT hackers, 'just follow the money.'

Schneier spoke to Computing in advance of the RSA Conference, which runs from November 3-5 at the RAI Conference Centre in Amstersdam.

Schneier is founder and chief technical officer of Counterpane Internet Security, which provides managed security services to blue-chip companies. Counterpane's outsourced service uses a combination of people and technology to safeguard computer networks.

He also designed the Blowfish encryption algorithm, and his Twofish algorithm was a finalist for the new Federal Advanced Encryption Standard (AES).

How did you get interested in IT security?

I've always worked in security. And I think security is a mindset. When I was a consultant looking to hire people, I'd look for individuals that would just break systems out of habit.

I'm talking about the kind of person that, when they walked in a store, would look for the cameras. And when they'd see a tollbooth, they'd notice how they could break it. They wouldn't actually do it - but they could get around paying.

Security is really just a way of thinking - and I've always thought that. And going into security was very much a natural decision for me.

How did your career develop? I didn't start in IT but in cryptography. My background is in mathematics and is very theoretical. I moved into IT and computer security by branching outwards from cryptography.

My career has been an endless series of generalisations. I did protocols and cryptography, then I did computer security, then network security - and now a lot of my work is in general security.

Pretty soon I'm going to Johannesburg to give a lecture to people who are trying to deal with container security at ports. My work has a lot to do with taking small ideas and generalising them outwards.

Why form Counterpane?

Counterpane was originally a consulting company. It was formed because people wanted to hire me to do cryptography work. Counterpane is now a managed security service company - and we provide monitoring, management and installation services to corporations that need that kind of expertise, but can't afford it full-time.

It's a lot of fun and it's always interesting. The benefit of doing security for others is that you get to see so much stuff. Monitoring companies you get to see all kinds of attacks. And we've managed to attract 400 customers in the four years since we started.

How proud are you of your algorithm development work?

Blowfish and Twofish are still being used widely - and both were good fun to develop. Both involved a lot of work with a lot of people. And they involved design and re-design - and there was a lot of back and forth between the team.

There's no quick answer to how an algorithm works. You design something, you try to break it - you re-design it, you re-break it - and you end up with something strong.

The algorithms have been used as the building blocks of secure systems. It's a component - it doesn't stand-alone, but it works in combination with other elements of a security system.

What do you think of most company's preparedness for security attacks?

Most businesses are pretty awful. I don't have a good, single answer why. But one thing it's not about is technology - it's about people.

Companies need to understand what is going on. Security, as an issue, hasn't changed for thousands of years. Technology isn't going to provide some magical solution to the problems that have existed since the beginning of time.

Is it about putting a security policy in place?

Well, does security in your home have anything to do with a policy? No. We can use fancy words but security in the home is basically about ensuring your kids lock the door.

The same is basically true in business. And we're doing so badly at coping with viruses because people open attachments. That's the problem - and if we had a better policy, would people follow it? No.

What should be an IT director's security priority for 2004?

I think people grossly over-estimate the risk of hacking and under-estimate the risk of crime or fraud. Companies are not thinking in terms of standard fraud. People steal stuff offline and online - and there's no way to solve it.

What businesses must learn to do is to deal with crime, and that means dealing with their people stealing in cyberspace. Because fraud is taking pace on a computer, it isn't magically different. It's the same as in the real world - so if your company has a way of dealing with fraud, be that with the Police, use it.

What will you be talking about at the RSA conference?

I'll be talking about security in context. Don't think of security by itself - you need to think if it in relation to the rest of your business processes.