Applying Pressure - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Applying Pressure

Companies are banding together to push IT vendors into making their products more secure

What began as an uncoordinated din of IT professionals complaining about computer security has turned into a collective movement that's spanning entire industries. For evidence, consider the actions taken by BITS, a powerful financial-industry organization that recently crafted a detailed security policy on how it expects technology companies to respond to the needs of its member firms. Two weeks ago, the nonprofit consortium squeezed concessions from Microsoft. Now, other big-name vendors are in its sights.

BITS acted because the costs and risks associated with rising software vulnerabilities have become "untenable," senior director John Carlson says. Coping with software vulnerabilities has become a $1 billion-a-year problem for the financial industry, according to BITS, whose heavyweight roster includes Bank of America, Citigroup, Fidelity Investments, and Wells Fargo. "We clearly anticipated that the costs are going to increase over time unless something is done," Carlson says.

There's almost no one who's immune, says Larry Seibel, information security director at Huntington National Bank. Photo by Janet Adams

"There's almost no one who's immune," Huntington National Bank's Seibel says.

Photo by Janet Adams
Dissatisfied with the pace at which IT vendors were moving to address security problems, BITS decided to engage them on its own terms. "There's almost no one who's immune," says Larry Seibel, information security director at Huntington National Bank, whose chairman and CEO, Thomas Hoaglin, is on BITS's board of directors. "I don't think anyone believes we're going to have a quick fix." Just last week, the SANS Institute's Internet Storm Center reported an attack in which hackers attempted to capture, via Internet Explorer, user-login information from customers of dozens of financial institutions.

BITS held an invitation-only meeting in February for its members and some undisclosed software companies, and, in late April, it unveiled a sweeping plan to encourage IT vendors to show a "higher duty of care" in delivering foolproof products. A detailed policy statement, issued jointly with the affiliated Financial Services Roundtable, calls on vendors to make security a fundamental part of software design, support older versions of products, make upgrades easier, improve the patch-management process, and give companies with "critical infrastructure" advance notice of new vulnerabilities.

The group hopes to influence product development and support across the technology industry. Prominent names are at the top of its list: Cisco Systems, Computer Associates, Hewlett-Packard, IBM, Microsoft, Oracle, and PeopleSoft. "There are lots of potential weak links," Carlson says. "Our members said, 'These are important companies to engage.'"

InformationWeek surveyed some of those leading technology companies to assess their readiness to meet BITS's specific proposals. To see their answers, go to responses.htm.

BITS supports incentives, including tax breaks, to encourage vendors to put more research and development into security, and it promises to help protect industry groups from antitrust laws as they collaborate on security measures. It's also wielding a stick by encouraging regulators to share some of the information they already gather on the security practices of software companies.

Security professionals believe there's something to be gained by bringing the collective weight of an industry to bear on the issues they face every day. "These efforts present a united front and focused pressure, rather than each of us working on our own to improve software and to get change," says Gene Fredriksen, VP of information security with Raymond James & Associates, co-chair of BITS's software-security working group, and a member of its security and risk-assessment executive committee.

It doesn't hurt that BITS has the backing of some big guns. Thomas Renyi, chairman and CEO of the Bank of New York, is chairman of BITS's board of directors. According to Cisco, its CEO, John Chambers, has met directly with the industry group.

BITS is rallying companies from other industries around the same set of issues. Technology executives from the telecommunications, chemical, and electric-utility industries were invited to its closed-door February meeting, and the group coordinated with the influential Business Roundtable on the details of its software-security policy and the timing of its release.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll