The rise of security acquisition policy

Will 2009 be the year that large companies' IT departments begin demanding secure software from their vendors?

Jon Oltsik
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
Jon Oltsik
2 min read

The state of information security is pretty poor, and large organizations have neither the time nor the money to continue to add security safeguards onto their networks to protect them against the latest threat du jour.

I believe we are at a tipping point when CIOs push back on their vendors with a new "enough is enough" acquisition policy. In 2009, expect large organizations to establish a new acquisition policy mandating that their vendors either deliver secure products or lose their business.

What do I mean here? CIOs will demand that IT vendors provide:

1. Secure product design, development, and testing. Software and hardware products must be designed to anticipate and minimize potential attacks. Additionally, vendors will be required to adopt secure and auditable software development and testing processes.

2. Secure default configurations. Users should not be forced to jump through hoops to secure products "out of the box." Rather, default configuration must be hardened from the get-go.

3. Security support. Vendors will be required to have proper processes and procedures to respond quickly and consistently to any security problems that arise with products in the field. Furthermore, vendors must have field engineers and support personnel who can help customers integrate individual products into secure architectures consisting of networks, servers, operating systems, databases, applications, and storage devices.

I expect the federal government (with its $70 billion-plus IT budget) to make secure acquisition policy part of the revised Federal Information Security Management Act sometime this year. Once Congress gets the ball rolling, the National Institute of Standards and perhaps the National Security Agency will quickly follow with formal guidelines. Note that secure acquisition policy was one of the suggestions posed to President-elect Barack Obama in the recent Center for Strategic and International Studies report. Other industries beyond the federal government alone will follow this lead.

Yes, this will put pressure on the IT industry--especially venture-backed start-ups focused on feature/functionality at all costs. Tough luck for sure, but this will be a wakeup call to the entire industry. Users want security that is baked in and not bolted on. IT vendors will either come to terms with this or suffer the consequences.