Companies are banding together to push IT vendors into making their products more secure
What began as an uncoordinated din of IT professionals complaining about computer security has turned into a collective movement that's spanning entire industries. For evidence, consider the actions taken by BITS, a powerful financial-industry organization that recently crafted a detailed security policy on how it expects technology companies to respond to the needs of its member firms. Two weeks ago, the nonprofit consortium squeezed concessions from Microsoft. Now, other big-name vendors are in its sights.
BITS acted because the costs and risks associated with rising software vulnerabilities have become "untenable," senior director John Carlson says. Coping with software vulnerabilities has become a $1 billion-a-year problem for the financial industry, according to BITS, whose heavyweight roster includes Bank of America, Citigroup, Fidelity Investments, and Wells Fargo. "We clearly anticipated that the costs are going to increase over time unless something is done," Carlson says.
"There's almost no one who's immune," Huntington National Bank's Seibel says.
Photo by Janet Adams
Dissatisfied with the pace at which IT vendors were moving to address security problems, BITS decided to engage them on its own terms. "There's almost no one who's immune," says Larry Seibel, information security director at Huntington National Bank, whose chairman and CEO, Thomas Hoaglin, is on BITS's board of directors. "I don't think anyone believes we're going to have a quick fix." Just last week, the SANS Institute's Internet Storm Center reported an attack in which hackers attempted to capture, via Internet Explorer, user-login information from customers of dozens of financial institutions.
BITS held an invitation-only meeting in February for its members and some undisclosed software companies, and, in late April, it unveiled a sweeping plan to encourage IT vendors to show a "higher duty of care" in delivering foolproof products. A detailed policy statement, issued jointly with the affiliated Financial Services Roundtable, calls on vendors to make security a fundamental part of software design, support older versions of products, make upgrades easier, improve the patch-management process, and give companies with "critical infrastructure" advance notice of new vulnerabilities.
The group hopes to influence product development and support across the technology industry. Prominent names are at the top of its list: Cisco Systems, Computer Associates, Hewlett-Packard, IBM, Microsoft, Oracle, and PeopleSoft. "There are lots of potential weak links," Carlson says. "Our members said, 'These are important companies to engage.'"
InformationWeek surveyed some of those leading technology companies to assess their readiness to meet BITS's specific proposals. To see their answers, go to informationweek.com/996/ responses.htm.
BITS supports incentives, including tax breaks, to encourage vendors to put more research and development into security, and it promises to help protect industry groups from antitrust laws as they collaborate on security measures. It's also wielding a stick by encouraging regulators to share some of the information they already gather on the security practices of software companies.
Security professionals believe there's something to be gained by bringing the collective weight of an industry to bear on the issues they face every day. "These efforts present a united front and focused pressure, rather than each of us working on our own to improve software and to get change," says Gene Fredriksen, VP of information security with Raymond James & Associates, co-chair of BITS's software-security working group, and a member of its security and risk-assessment executive committee.
It doesn't hurt that BITS has the backing of some big guns. Thomas Renyi, chairman and CEO of the Bank of New York, is chairman of BITS's board of directors. According to Cisco, its CEO, John Chambers, has met directly with the industry group.
BITS is rallying companies from other industries around the same set of issues. Technology executives from the telecommunications, chemical, and electric-utility industries were invited to its closed-door February meeting, and the group coordinated with the influential Business Roundtable on the details of its software-security policy and the timing of its release.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?