Have been away in sunny Rome for the last couple of days, covering the annual Information Security Solutions Europe (ISSE) event for IT security professionals. A definite improvement on Budapest last year, for several reasons, which I probably can’t go into here, but let’s just say I was very sorry to leave the Eternal City (even if, as usual, we were staying and working in actual fact somewhere closer to the Roma north circular).

After gorging on semi-freddo and red wine, there was just about time to listen to some IT experts do their thang.

Security guru Bruce Schneier was on form, telling us all what we kind of knew already but in a typically refreshing no-nonsense way; economics are the root cause of most every problem or gripe IT security chiefs are likely to have with their suppliers. Actually Bruce short-changed us a bit – the 10 security trends outlined in the ISSE programme actually became four economic principles when he came down to it, but we didn’t hold it against him. You can’t hate a man with such an endearing beard and ponytail combo for long.

Despite Eema’s worries (they’re the publicity-shy e-business industry association that runs ISSE by the way) the event was pretty successful I reckon, even if I did have to leave before drinking my own weight in Frascati at the gala dinner event on Wednesday night, instead spending it in the departure lounge of Ciampino airport – very rock and roll.

Various other experts told us how important it is to regulate the vendors, although EC uber-commissioner Viviane Reding was more laissez-faire, saying simply that "the EC invites private industry to be proactive" in creating better products etc. To an extent those calling for legislation are right – the economic incentive for security vendors to build better products clearly is not there, and it will probably always remain this way unless state intervention forces their hand, or IT buyers become more discerning and demanding. But I’m sure there’ll be many infosec bosses and vendors alike who will wince at the prospect of more heavy-handed legislation. Lightness of touch is not something governments are known for, least of all in such a fast-changing industry – how can a minimum standard for security products be drawn up in this environment? Any law risks being out of date before it even hits the statute books.

Also good value was Michael Howard (no, not that one) of Microsoft, who put his hands up and admitted his firm’s past mistakes with security – well not all of them, we only had three days. And then there was Enisa; star of the show last time around when it was a newly-formed organisation brimming with ideas and plans. Seemed a bit sidelined this time around as there were no major announcements, just a heads-up as to its continuing work on the EU-wide internet portal as part of the plan for an EU information sharing and alert system.