Wield Sticks, Dangle Carrots

Recently, the US Air Force, mired in patching hell, got what it wanted from Microsoft - a more secure version of Windows, configured uniformly across the agency. Microsoft agreed to the deal, according to reports, because the Air Force had considered moving to open source software. The Air Force CIO and security champion John Gilligan was quoted as saying at the time: "We want Microsoft focused not on selling us products but [on enhancing] the Air Force in our mission." He added that he hoped his agency's demands would spill over to other organizations that could take advantage of the secure configuration.

At any rate, Gilligan has a pretty big stick to wield (or carrot to dangle, depending on whether you're an optimist or a pessimist) to get what he wants - a $US500 million contract. But incentives as a Big Idea, to motivate others into better security, can be applied by anyone. Here are some of the incentives-based programs suggested to us:

• Get a legal opinion. Christofer Hoff, CISO of WesCorp, says that users should require their vendors to have lawyers run software through

the assessment mill and churn out a legal opinion on how its security would hold up in a liability case. Watch as the vendors scramble to make sure their software can pass muster.

• Software Underwriters Laboratory (UL). Why not warehouse those legal opinions or other independent assessments with a UL-like organization. You wouldn't buy a $400 iPod if it didn't get approved by UL, but you'd buy a $4 million software system with no analogous security assessment?

• If those Big Ideas take off, then watch as the insurance industry uses the data to adjust premiums. Vendors would instantly devote more resources to building better, which would result in lower insurance rates on their products.

• File class-action lawsuits. It may come to this. Keeping with the smoking analogy, all it will take is a sufficient level of outrage and damage before enterprising lawyers - who've already tried this - successfully hold vendors accountable for poor software.

Treat End Users Like the Dummies They Are

Amoroso of AT&T believes that the fundamental security problem is that during the past decade, and quite unintentionally, the network's intelligence has migrated to the edge. "We're all sys admins," he says. And millions of end users holding sway over their security settings translates to millions of potential dumb configurations, boneheaded double-clicks and unintentional security lapses. Accidents happen, and bad guys take advantage of the fact that not all end users are created equal in terms of security.

After all, Amoroso argues, do you control power distribution around your house, or do you just plug stuff in?

He thinks AT&T can make a ton of money off this idea: Return control to the network providers (like his own company's phone system in the 1970s, he says, a time when Ma Bell controlled everything, including the technology's interface), and let the providers charge you for doing all of the filtering, traffic analytics, worm detection and incident response. "That's my solution," Amoroso says. "Create a service. Make money."

Becky Autry, CIO of the United States Olympic Committee, loves Amoroso's plan. "It's overwhelming; I'm overwhelmed," she sighs. Autry has a network staff of just three to handle IT for three training centres as well as events security. "Smaller organizations just can't get good or dedicated staff to handle a problem that's so large and changing so quickly."