• silicon.com
• Management
• CIO Insights

By Sally Watson, 30 January 2002 17:45

NEWS IT professionals think security vendors should be regulated to prevent "negligent and irresponsible" project implementation. According to a survey, sponsored by PKI specialist Indicii Salus, 68 per cent of respondents felt encryption companies were behaving irresponsibly by allowing anyone to download their software. Relative novices can then use the technology without fully understanding it, thereby jeopardising the security of the companies employing their services. A similar number of respondents felt an independent body should be set up by the government and industry to monitor the purchase and use of encryption technology. Paran Chandraekaran, chief executive of Indicii Salus, said that people in the IT industry are angry with the top management consultancies in particular for offering 'slapdash' security advice. "You can't just box security up and shove it out to Joe Public," he told silicon.com. In one example, Chandraekaran came across a 26-year-old consultant with three months information security training who had been sent to a FTSE 250 company to implement a £1.2m European rollout. "It beggars belief that you can irresponsibly sell this kind of business and mission critical kit," he added. According to Chandraekaran, problems occur particularly after PKI technology has been rolled out across a large organisation, leaving encryption keys stored on the desktop vulnerable to spoofing and copying. "Until we get to be more responsible about weeding out irresponsible vendors then we're putting our businesses and infrastructures at risk," he said. Fred Piper, a professor at the University of London, agreed that the situation for companies wanting to buy security technology wasn't clear. "There are obviously problems," he said. "Many people are making exaggerated claims for PKI." The DTI is expected to release the findings of a study into the information security industry in the next few weeks which could lead to security professionals being licensed under the Private Security Industry Act.