IT security bedevilled by poor 'me too' products

The IT security market has too many bad products because purchasers don’t know what they are buying, delegates at the RSA Security conference were told.

In his keynote address security expert and chief executive of BT Counterpane, Bruce Schneier, said that for every product that was good in the industry there would be a couple of 'me too' companies that were pushing poor products.

But because the area of IT security is so complex most buyers have no way of telling if a product is good and so end up feeling more secure than they really are, which in the long term is bad for the business.

"Bad products drive out good products," he said.

"That's very true in our market. If I have two boxed products, one of which is securely coded and one that isn’t, you have no way of telling the difference, there's no functional test you can do. So you buy the cheaper one."

He said that this had contributed to a situation where users were caught between feeling secure and actually being secure. There was not enough accurate information available for people to make informed choices.

He described what he called "security theatre" as security information that was designed to play on the emotions of security and not the realities of security.

"That's probably why every ROI estimate is bogus," said Schneier.

"Using high number mathematics I can make an ROI say anything and not change psychologically what you think of it."

Such security theatre is harming the industry because people need to feel secure as well as actually being secure, but at the same time it was sometimes needed because products needed to appeal to the emotions to sell.

An example of an application that was undersold was email security. Schneier said that products worked very well but were undersold.

In the long term he said that he was confident that industry would eventually get the balance right; pointing out that while there were few firewall companies left the features of the best ones were found in most.