Why improved security is well worth waiting for

In this issue of SC Magazine we report on the growth of user power, and a move to force (or persuade) vendors to provide the kind of products we all need.

The mood is being driven by a number of factors. For a start, the new raft of corporate governance legislation has brought information security to the attention of senior management. The people in the board room have begun to realise that it's their head on the block if security is shown to be deficient, so now (at last) they are taking it seriously.

They then put the pressure on the IT department to tighten security. But that's easier said than done – IT has an unending list of new vulnerabilities to fix, and the situation is getting worse. In fact, patch management has become one of the biggest sources of pain for IT purchasers.

At the same time, businesses are making increased use of the internet to communicate with their customers, employees, partners and suppliers – all of which creates more opportunity for a breach of security. Ah, how some of you must yearn for those old days of the hermetically sealed mainframe computer.

So the infosec professional is caught at the confluence of all these trends, bravely trying to deploy patches and maintain security, while also trying not to be seen as an inhibitor to the business. It's a tough balancing act.

Then someone made an interesting observation: if software did not have so many holes in it in the first place, we wouldn't have to spend so much time and money applying patches. Would it not be possible just to produce better software?

This heretical point of view started to circulate, along with the equally outrageous idea that software companies might even be financially liable for the cost of patching. We were getting into dangerous waters.

Now the battle is out in the open. User groups on both sides of the Atlantic are pressing the vendors to improve their performance. For example, a recent meeting of financial services companies in the US told vendors they were no longer prepared to be an unofficial QA department for deficient products. They want the software development process to improve, and fast.

But if users want quality, they will also need to be patient. As Bill Gates announced at the RSA show last month, Microsoft is shifting resources from new product development to improve security in existing products. Customers should welcome the news, even if it means that Longhorn, the next-generation operating system, will take longer to arrive.

Ron Condon is editor in chief of SC Magazine