New device will evaluate effectiveness of IT security products

SAN FRANCISCO, March 16 (UPI) -- As competition grows for a share of the burgeoning market for security-related products, procurement agencies and decision-makers are facing increased pressure from manufacturers with new wares to market and sell.

A self-assessment tool for evaluating the effectiveness of information technology security products promises to make the job of choosing the right products easier for decision-makers.

Analysts said marketing jargon makes it tougher for decision-makers to choose the right products, often resulting in procurement errors and squandering of resources.

The Jericho Forum Self-Assessment Scheme, released by Jericho Forum, the IT security association, would help businesses choose the products that are appropriate for their needs.

SAS will allow vendors and customers to check if an IT security product would meet their needs. This has become a major issue as more organizations adopt Internet-based "cloud computing," which works like a public utility, allowing for shared resources.

SAS provides security vendors with a high-value, free-of-charge tool to assess how well a solution satisfies the requirements, Jericho Forum said.

The Jericho Forum Self-Assessment Scheme is free to download from the jerichoforum.org Web site and is designed to "raise the bar for the entire security industry" by asking the probing questions that reveal if a security product or solution meets an organization's requirements.

Jericho Forum said the tool would be valuable to security vendors wishing to self-assess products and architectures and demonstrate their effectiveness as a market differentiator.

It will also serve user organizations that are looking to compare IT security products and incorporate key SAS requirements into requests for procurement, Jericho Forum said.

User organizations that wish to self-assess the security of system implementations and architectures as well as their readiness for cloud computing also qualify for adoption of the SAS tool.

IT systems architects and designers that are looking to validate the security of their architecture designs will also find the tool invaluable.

The ultimate goal of the Self-Assessment Scheme is to influence IT product innovation and market forces to be security-driven instead of purely feature-driven, Jericho said.

Dan Blum, senior vice president and principal analyst at Burton Group/Gartner, welcomed the introduction of SAS. He said SAS will help vendors and customers give themselves "an architecture checkup and it is therefore a useful way to measure cloud-readiness."

Paul Simmonds, Jericho Forum board member, said this is "an open invitation to the IT industry to improve security design standards."

SAS asks a series of questions that are geared to exposing a product's security flaws or loopholes. It enables vendors to differentiate products on a three-tiered scoring process.

The self-policing aspect of the scheme relies on the honesty of the submitters and the knowledge that their reputation will be damaged if their scorecard is exposed as including false claims."

Philippe Courtot, chief executive officer of Qualys and Jericho Forum board member, said he hoped the tool would help greater exchange of information among buyers and sellers.

"The need for collaboration has never been greater and yet the myriad of

business models and vendor offerings" makes the job "highly challenging" for those expected to buy the products, he said.