Security is a process not a destination.

What is wrong with the security industry is that much of it – think antiviruses – tries to mitigate problems that happened.

Now there is a very good reason for that: pointy-haired bosses are blissfully unaware of how secure their products are, and are therefore unable to wisely spend money on their own products’ security. But they will have problems, and they will spend a pot of money in trying to fix the problems once they are discovered.

I don’t know if our economy (market forces, whatever) will be able to head into the distant future Schneier describes, where the security industry can’t be told apart from the software industry. Still, I’d consider the security industry a failure if it doesn’t happen.

The major driving force behind security has always been fear. Why install alarms around your house, because it looks pretty?

The security industry thrives and booms on fear. What if my company website looks bad after being defaced? what if our customers information is disclosed to the Internet? What if corporate and government secrets are stolen?

What drives the fear? Ultimately I belive its money in the form of credibility. If this makes us look bad we lose customers and therefore lose money.

As long as there are bad guys doing bad things, the security industry will be around. If they really wanted to hinder progress, they shouldn’t do anything at all and be patient.