4 min read

Applying Pressure

Companies are banding together to push IT vendors into making their products more secure
"Everyone's looking at everyone else's work, saying, 'What can we do working in collaboration with each other to solve this problem?'" Carlson says from his Washington office, where he had just returned from a meeting last week of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census. Last month, the chairman of that subcommittee, Rep. Adam Putnam, R-Fla., co-authored an amendment to the 1996 Clinger-Cohen Act that would make information security a required consideration when government agencies buy computer systems. Putnam is monitoring self-regulation efforts by groups such as BITS in the private sector.

Microsoft's arrangement with BITS was the first of its kind, but it won't be the last, says Gytis Barzdukas, director of product management with the vendor's security business and technology unit. After six months of discussions, BITS talked Microsoft into providing more-favorable terms for Windows NT 4.0 custom support and making Windows support personnel available to BITS's members in their local offices. Both sides say further cooperation is planned.

The risks to a bank's reputation from security attacks can equal or surpass losses from lawsuits or penalties, Marguerite Gear, VP and sourcing manager at Bank of America. Photo by Sacha Lecca

The risks to a bank's reputation from security attacks can equal or surpass losses from lawsuits or penalties, Bank of America's Gear says.

Photo by Sacha Lecca
With new security threats popping up weekly, banks have kept one eye on the perpetrators and the other on regulators. Marguerite Gear, VP and sourcing manager at Bank of America, says the risks to a bank's reputation can equal or surpass losses from lawsuits or penalties. "In financial services, trust is paramount," she says. "Identity thefts, firewall attacks, viruses, or intrusions can devastate a bank."

Under Basel II, an accord reached last month by international banking authorities, large banks must be able to measure by the end of 2007 their exposure to operational risk, including software flaws, in addition to credit and market risk. Large financial institutions have had Basel II preparations under way for at least a year, beginning with compiling data about previous cyberattacks and formulating scenarios about potential new ones.

Conscious of the need to proceed without disrupting ongoing business activities, teams of IT, compliance, legal, and audit specialists are working to formulate plans combining all these elements. The hope is that by working collaboratively, they can present business heads with a single plan of action. "We don't want to go to them with one set of compliance questions and another set of security questions," says an information security executive at a large multinational bank.

When reviewing software products, this executive says, "we ask [vendors] to show us their model for providing software updates and patch distribution, both during the ordinary course of business and during emergencies." Vendors are grilled on their response procedures in the event of a crisis. Bank of America's Gear says banks routinely write into contracts clauses that specify software products are warranted as being free of malicious code. "It's a huge, huge issue," she says.

BITS has set the security bar high with its own stringent set of criteria for product certification, introduced in 1999 and reintroduced two years ago after being aligned more closely with the international security evaluation standard known as the Common Criteria. So far, only two products--HP's VirtualVault and Archer Technologies' SmartSuite Framework--have passed muster. "It tells us software companies have a lot of work to do in terms of meeting the targeted needs of our profiles," Carlson says.

Carlson and many security professionals agree that vendors have shown an increased willingness to address their concerns and acknowledge that IT departments bear much of the responsibility for securing their systems and networks. But they say vendor efforts haven't yet passed the most important test: There's been no decline in the number of security threats or attacks, or in costs associated with them (see story, Under Attack).

What comes next? BITS is working to define best practices for patch-management and on security issues associated with spyware, wireless technologies, and remote access. Users would also like to see increased collaboration among technology suppliers themselves. "Ultimately, I would like to see the industry get to the point where we have common security baselines among vendors," says Raymond James' Fredriksen.

Oracle is thinking along the same lines. "The next frontier is for vendors to drop their competitiveness," says Mary Ann Davidson, Oracle's chief security officer. "Developing secure code is not a trade secret. Vendors need to start calling each other up and sharing development techniques. The hackers certainly share attack and vulnerability information."

If the vendors can ever outpace the hackers, their customers will deserve part of the credit.