The IT security industry should not be regulated, despite a rise in flaws and breaches that are causing businesses financial loss and downtime, says a top government security expert.

Dr Stephen Marsh, director of the Cabinet Office’s Central Sponsor for Information Assurance (CSIA) unit, says that the IT industry is failing to design products without security flaws, but adds that regulation could have dire effects.

‘Regulation is something we should use very sparingly. Admittedly there is a market failure in terms of securing products and that is something we need to address through education,’ Marsh told last week’s RSA Europe Conference in Vienna.

‘I think there are some things that we don’t want to regulate, including technology itself. It will hamper innovation and the discipline is too immature to start imposing regulation.’

Marsh says IT purchasers should put pressure on vendors through buying habits, and drew attention to the government’s IT security Claims Test Mark scheme, which checks vendor products before approving them for the public sector (Computing, 8 September).

If governments are forced to regulate IT security they should endorse industry best practice approaches, such as BS7799, rather than dictate what businesses must do, he says.

But Michael Colao, global head of information security at investment bank Dresdner Kleinwort Wasserstein, disputes the notion that regulation will hinder innovation and says users should not be picking up the cost of poor vendor design.

‘We have paid a tremendous amount of money over the years for dealing with vulnerabilities not caused by us, and getting rid of bugs, defects and human screw-ups at the vendor’s end,’ he said.

‘It isn’t an either/or in terms of regulation and innovation. I work in one of the most highly regulated markets in the world and it is highly innovative.’

Colao says ISPs should be forced to improve security at the network level, where spam, phishing emails and botnets can be reduced more easily.

‘People regulate banks because that is where the money is, but it is becoming the case with the internet,’ he said.

Marsh says that 80 per cent of ISPs could be put out of business if they were forced to incur additional costs.