The eWeek editors have an interesting column this week proposing a new purchasing model for IT – one in which vendors take system-wide responsibility for security. Quote:
Indeed, in a service-based model of IT, there should be no distinction between the vulnerability of an endpoint device—a product—and the vulnerability of a server—that is, the nexus of a service. The PC industry has set an unfortunate precedent with the notion that anti-virus, firewall and connection-monitoring utilities are aftermarket products to be chosen, installed and configured by the user. It’s high time that this precedent be overturned. ISPs and other interested parties should accept and even promote their role in end-to-end assurance. AOL has set a good example with its promotion of anti-virus and anti-spyware technology, but there’s room for much more: The utility computing advocates at IBM and Sun, and the transaction-oriented powers of eBay, Amazon.com, Charles Schwab and the like, should change their terms of service to take responsibility for security.
Interesting, but quite obviously practically unworkable. Vendors are not insurers, after all, and their answer is a simple one – this is not simple stuff – it’s exceedingly complicated – and the world is a dangerous place, full of very smart people who love to hack security. And so, the debate over responsibility for security has been generating a lot of noise and heat recently, but so far little in the way of proposals that are practically workable. So far, vendors have been keeping their heads low – perhaps waiting for the fireworks to die down? Well, they won’t.
I’ve written about these issues a lot here recently (see here and here, for example), but another idea occurs to me. The proponents of increased vendor liability for security are presumably basing their views on the theory that this is risk that can be quantified and therefore allocated on a more (in their view) efficient basis. If that’s true, then there is a role for innovative insurance products here. Is there an opportunity for the creative development of insurance products designed to protect IT system users from security threats? Just how does would one design and then risk-assess such a product?