Companies are banding together to push IT vendors into making their products more secure
What began as an uncoordinated din of IT professionals complaining about computer security has turned into a collective movement that's spanning entire industries. For evidence, consider the actions taken by BITS, a powerful financial-industry organization that recently crafted a detailed security policy on how it expects technology companies to respond to the needs of its member firms. Two weeks ago, the nonprofit consortium squeezed concessions from Microsoft. Now, other big-name vendors are in its sights.
BITS acted because the costs and risks associated with rising software vulnerabilities have become "untenable," senior director John Carlson says. Coping with software vulnerabilities has become a $1 billion-a-year problem for the financial industry, according to BITS, whose heavyweight roster includes Bank of America, Citigroup, Fidelity Investments, and Wells Fargo. "We clearly anticipated that the costs are going to increase over time unless something is done," Carlson says.
"There's almost no one who's immune," Huntington National Bank's Seibel says.
Photo by Janet Adams
Dissatisfied with the pace at which IT vendors were moving to address security problems, BITS decided to engage them on its own terms. "There's almost no one who's immune," says Larry Seibel, information security director at Huntington National Bank, whose chairman and CEO, Thomas Hoaglin, is on BITS's board of directors. "I don't think anyone believes we're going to have a quick fix." Just last week, the SANS Institute's Internet Storm Center reported an attack in which hackers attempted to capture, via Internet Explorer, user-login information from customers of dozens of financial institutions.
BITS held an invitation-only meeting in February for its members and some undisclosed software companies, and, in late April, it unveiled a sweeping plan to encourage IT vendors to show a "higher duty of care" in delivering foolproof products. A detailed policy statement, issued jointly with the affiliated Financial Services Roundtable, calls on vendors to make security a fundamental part of software design, support older versions of products, make upgrades easier, improve the patch-management process, and give companies with "critical infrastructure" advance notice of new vulnerabilities.
The group hopes to influence product development and support across the technology industry. Prominent names are at the top of its list: Cisco Systems, Computer Associates, Hewlett-Packard, IBM, Microsoft, Oracle, and PeopleSoft. "There are lots of potential weak links," Carlson says. "Our members said, 'These are important companies to engage.'"
InformationWeek surveyed some of those leading technology companies to assess their readiness to meet BITS's specific proposals. To see their answers, go to informationweek.com/996/ responses.htm.
BITS supports incentives, including tax breaks, to encourage vendors to put more research and development into security, and it promises to help protect industry groups from antitrust laws as they collaborate on security measures. It's also wielding a stick by encouraging regulators to share some of the information they already gather on the security practices of software companies.
Security professionals believe there's something to be gained by bringing the collective weight of an industry to bear on the issues they face every day. "These efforts present a united front and focused pressure, rather than each of us working on our own to improve software and to get change," says Gene Fredriksen, VP of information security with Raymond James & Associates, co-chair of BITS's software-security working group, and a member of its security and risk-assessment executive committee.
It doesn't hurt that BITS has the backing of some big guns. Thomas Renyi, chairman and CEO of the Bank of New York, is chairman of BITS's board of directors. According to Cisco, its CEO, John Chambers, has met directly with the industry group.
BITS is rallying companies from other industries around the same set of issues. Technology executives from the telecommunications, chemical, and electric-utility industries were invited to its closed-door February meeting, and the group coordinated with the influential Business Roundtable on the details of its software-security policy and the timing of its release.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.