Living in an insecure world

It's been ten years since Bruce Schneier - founder of security monitoring firm Counterpane Internet Security - launched  his newsletter, Crypto-Gram, which expanded from covering computer security issues to a broader investigation into security issues of all sorts. Now Counterpane belongs to BT, where Schneier is chief security technology officer, and as he tells global technology editor John C Tanner security is still a hard sell

Telecom Asia: Your background is computer security and cryptography - how did you end up applying that knowledge into the world at large‾

Schneier: I think it's just what happens when I start looking at something. I start looking at the bigger picture. The first sort of major milestone was the post 9/11 issue. I just couldn't stop writing, and that's how I processed what happened.

It seems you're better known now for your writings on security than for the company you founded, Counterpane. For those who don't know, what did Counterpane do before it was bought by BT, and what's its status now‾

Counterpane is part of BT professional services in BT Americas, though it's selling worldwide. And it's still doing what it was doing, and the core is real-time security monitoring. The idea is that there are lots of security products out there, but if you're not watching them, they don't do any good. So that's always been what it was, and then there's a whole suite of services built around security monitoring.

There's all sorts of management, device management, configuration help, but all built around real-time monitoring. That's a critical piece BT needed, and we started working together, and then they decided to just to buy us. The other thing we get out of it is that BT also bought INS. So this amalgamated group is the INS security consulting services and our managed security services.

How would you differentiate that from the other managed security services out there‾
There really aren't. I mean, name three.

Well, all of BT's competitors have some sort of managed security services.

Well yeah, but 'some sort' of managed security service is what it is. Everyone says they do managed services, but real-time security monitoring, you don't see that. So I don't see a lot of competitors.

Do you still find you have to manage customer expectations on security‾ I ask because BT recently released a survey showing that enterprises still take a tick-box approach to security and think they're more secure than they were ten years ago.

Sure, and I want to get out of that game entirely, where the only reason you buy security is because things you buy suck. No one ever wants to buy security. You want to buy something you want, and if it isn't good you're stuck buying security. And that's the way the computing industry has been because the outbreaks of computer viruses are so bad you have to buy security separately. But if we sell things people actually want, actually sell functionality as opposed to what we do which is preventing functionality, then it's a way easier game, I'm much happier in there.