Organizations should be convinced the vendor has an aggressive plan to handle problems that may arise and the vendor should have a strictly-followed incident response policy to determine the severity level of a security vulnerability.
Although these questions add a step to the product evaluation process, they raise the bar on security. If the industry fails to follow these guidelines, it risks government agencies regulating the process.
Laws governing the way the healthcare and financial industries guard their data have already been instituted. If the rest of the market responsibly polices itself, such regulations will not be necessary.
"IT" now stands for "infrastructure technology," and needs to be as robust, secure, and reliable as physical infrastructure. We never worry about bridges failing, nor should we worry about critical IT systems going down because of design defects.
Adhering to these guidelines and choosing more robust, secure software is a sound business move that will cut costs and improve business in the short and near term.
Mary Ann Davidson is Oracle Corp.'s chief security officer.