The IT department or the software vendors?
The silicon.com CIO Jury is split this week on whether software vendors should be forced to pay compensation when insecure products lead to costly security breaches and system downtime.
While everyone acknowledges that ultimately hackers and virus writers are the real villains, we asked our panel of CIOs and IT directors if software firms should cough up when poorly designed products lead to security breaches. The jury was hung, with six saying 'yes' and six saying 'no'.
Some of those who said software vendors should be forced to pay compensation if their insecure products led to security breaches or downtime did so with some reservation.
Margaret Smith, director of business information systems at Legal & General, said that while vendors should be held accountable in some way, compensation is not the way. "We may send them out of business if we pursue this litigious approach, which would in the end be damaging to us all."
Ted Woodhouse, IT director at Leeds Teaching Hospitals NHS Trust, said the answer should be 'yes' but that it would be difficult to prove and so he would be reluctant to put more money in the pockets of "legal vultures". Gavin Whatrup, IT director at advertising agency Delaney Lund Knox Warren & Partners, argued that clients would have to prove that the circumstances under which the security breach occurred were included within the design specification.
Others, however, were more unforgiving towards software companies. Henry McNeill, CIO at Telstra Europe, said: "If compensation was enforced, vendors would take a more serious approach to security considerations as a matter of necessity."
Frank Coyle, IT director at John Menzies Distribution, suggested some firms should be held accountable under the Trades Description Act. "Vendors are always happy to profit, and pick up any credit when their software is perceived to be successful, so they should be paying compensation when it causes damage," he said.
Users should also take responsibility for security breaches and accountability must be shared, according to Steve Ritchie, CIO at Investcorp. He said: "As long as the vendors make every effort to plug any holes that become apparent in a reasonable time - or at least make customers aware of the problem - they should have no greater or lesser responsibility than the users."
Neil Hammond, IT director at British Sugar, agreed that pursuing vendors for compensation would be wrong. "Because a software product can never be truly secure, if they were threatened with this sort of action it would drive very defensive behaviour which would be counterproductive.
This week's CIO Jury was…
Jeremy Acklam, IT Director, Virgin Trains
Frank Coyle, IT Director, John Menzies Distribution
Peter Dew, CIO, BOC
Bill Gibbons, CIO, Abbey Group
Neil Hammond, IT Director, British Sugar
Henry McNeill, CIO, Telstra Europe
Nick Masterson-Jones, IT Programmes Director, BACS
Dharmesh Mistry, CTO, edge IPK
Steve Ritchie, CIO, Investcorp
Margaret Smith, Director of Business Information Systems, Legal & General
Gavin Whatrup, IT Director, Delaney Lund Knox Warren & Partners
Ted Woodhouse, IT Director, Leeds Teaching Hospitals NHS Trust
If you are a CIO, IT director or equivalent at a large or small company in the private or public sector and want to be part of silicon.com's CIO Jury pool, or you know an IT chief who should be, then drop us a line at firstname.lastname@example.org