The influential Jericho Forum has published a free ‘tool’ it hopes will be used by companies to work out which security systems to invest in – and which to pass on - before buying them.
Describing itself unofficially as “the set of nasty questions to ask your security vendors”, the tool is actually a full self-assessment methodology in the form of a series of 11 principles, complete with descriptions of how to relate these to ‘acceptable’ and ‘best practice’.
At the end of the assessment, an overall score is calculated taking into account whether the product or system in question achieves these basic standards. There is no absolute score that should be achieved, but they can be used, the Forum argues, as a rational means of assessing any system as ‘mature’.
Those familiar with the Forum will recognise the principles as the 11 commandments that have been used since its inception in 2004.
“The Jericho Forum is trying to signal where we should be moving in the next decade,” said Forum member Adrian Seccombe, whose day job until recently was at Eli Lily, where he was CISO. Interestingly, Seccombe sees the tool as also being of value to vendors as a way of demonstrating the efficiency of a product, and by companies which already have a system in place but want to review its security-worthiness.
The tool’s self-proclaimed ideal is to persuade vendors to move from feature-drives security to a design process where security is put first.
Will every vendor be pleased about having its products assessed in this way? According to Seccombe, some vendors are enthusiastic, some possibly less so. Many will keep the scores private.
“There are some cynical vendors out there but they tend to be the ones living in the last century,” he said, pointing out that enlightened vendors could use the tool to work out a product’s strengths and weaknesses. The important part of the market was the middle ground that wanted to evolve.
The Forum itself already has vendors and service providers as members, or course.
“As more and more applications move into the cloud, assessing the level of security computing vendors really provide is a major effort,” said Qualys CEO and Forum board member, Philippe Courtot. “Such an initiative will definitively help improve the necessary transparency cloud computing vendors must deliver.”
The Jericho Forum self-assessment Scheme document [PDF] can be downloaded direct form the group’s website.