Our editor Illena Armstrong is pounding the aisles at RSA with the rest of the editorial team as SC Magazine goes to press, so it falls to me this month to provide some perspective on recent events. I hope regular readers of this column will not feel cheated.
From where I sit, the predominant mood seems to be one of rising user power. The users (who include most of you out there) seem to be fast losing patience with the security vendors, and it's not hard to see why. For a start, the new raft of corporate governance legislation has brought IT security to the attention of senior management. The guys in the board room have suddenly realized that it's their head on the block if security is shown to be deficient, so now (at last) they're taking security seriously.
They then put the pressure on the IT department to tighten security. But that's easier said than done – IT has an unending list of new vulnerabilities to fix, and the situation is getting worse. In fact, patch management has become one of the biggest sources of pain for IT purchasers.
At the same time, businesses are making increased use of the internet to communicate with customers, employees, partners, suppliers – all of which creates more opportunity for a breach of security. Ah, how some of you must yearn for those old days of the hermetically sealed mainframe computer.
Anyway, the infosec professional is caught at the confluence of all these trends, bravely trying to deploy new patches and maintain security, while also trying not to be seen as an inhibitor to the business. It's a tough balancing act.
Then someone made an interesting observation: if software did not have so many holes in it in the first place, we wouldn't have to spend so much time and money applying patches. Would it not be possible just to produce better software? This heretical point of view started to circulate, along with the equally outrageous idea that software companies might even be financially liable for the cost of patching. We were getting into dangerous waters.
Now the battle is out in the open. User groups on both sides of the Atlantic are pressing the vendors to improve their performance. For example, a recent meeting of financial services companies in
the U.S. told vendors that they were no longer prepared to be an unofficial QA department for deficient products. They want the software development process to improve, and fast.
However, if users want quality, they will need to be patient. As Bill Gates announced at the RSA show, Microsoft is shifting resources from new product development to improve security in existing products. Customers should welcome the news, even if it means that Longhorn, the next-generation operating system, will take longer to arrive.
Ron Condon is editor in chief of SC Magazine