IT WEEK • 6 DECEMBER 2004
36 COMMENT Legal
challenges for 2005
36 INTERVIEW Oracle’s chief security officer explains how
companies will benefit from its quarterly patching regime
MANAGEMENTWEEK
WHERE TECHNOLOGY BECOMES BUSINESS REALITY
Editor: Madeline Bennett
Good steering stops crashes
Claire Pope
ecent failures of high-profile government IT systems have highlighted the need for improved
project management and proper planning
processes for technology upgrades.
Last month, a routine desktop software
upgrade at the Department of Work and
Pensions (DWP) left approximately 80
percent of employees unable to access critical payment processing systems. This was
caused by an incompatible system being
downloaded onto the entire network,
according to reports.
The Child Support Agency (CSA) also
recently experienced problems, with its
£456m IT system developed by EDS, which
apparently passed two official reviews
despite the lack of a contingency plan. In a
hearing last month, MPs were told that over
the past 18 months almost half a million
applications for support had been made.
However, only 13 percent had resulted in a
successful payment. A lack of efficiency in
the new IT system was implicated.
Doug Smith, the CSA’s chief executive,
R
said that he was disappoint“The plan they went
STEPS TO STOP FAILURE
ed with the performance of
through took just under a
his department’s technology
year,” he said.“They planned
Consider business
impact of upgrades
system, and subsequently
it properly and put processannounced his resignation.
es in place to make sure they
Phase the delivery
These recent problems
phased the upgrade over a
of patches or apps
show the dangers of firms
period of time. This allowed
Implement a rollnot fully understanding the
them to make sure the imback mechanism
impact of changes to their
pact of any errors would be
Source: LanDesk Software
technology. Paul Arthur of
minimal on the organisabusiness service managetion,” he added.
ment firm BMC Software said the DWP
Comprehensive planning is vital to the
upgrade would not have caused such havoc
smooth rollout or upgrade of IT systems,
if correct processes had been in place.
according to Baldin. “Firstly, companies
These processes should have come from
should put together a project plan that will
the IT department properly aligning itself
allow the IT department to phase the delivto organisational goals, he added.
ery of both operating systems and applicaAndy Baldin, operations director of
tions or just patches across the network.
management software vendor LanDesk
This enables the IT department to mainSoftware, said it was probably the scale of
tain control,” he added.
the DWP’s upgrade that caused systems to
Baldin said upgrades should then be
fail. “Migrating up to 80,000 [PCs] in a
rolled out across controlled subsets of the
weekend is asking for trouble,” he said.
environment. “Firms must design a rollBaldin cited the example of the Uniback mechanism to ensure that should anyversity Hospital of Birmingham that sucthing untoward occur there is a very simple
cessfully upgraded 2,500 PCs and 500
way of getting back the state the PCs were
servers from Windows 95, 98 and 2000.
in before the upgrade took place,” he added.
IT jobs to remain in UK
Martin Courtney
he threat to UK jobs caused by outsourcing more IT roles abroad may
be less severe than many critics have suggested, according to some experts, even
though two recent studies point to further
growth in outsourcing.
A poll conducted at last month’s National Outsourcing Association (NOA)
summit found 72 percent of companies and
82 percent of suppliers believe IT departments will look to outsourcing to cut operational costs and increase
organisational flexibility.
But although specific
roles such as software
development and helpdesk support are prime
candidates for offshoring
T
Roxburgh:
minimal loss
itweek.co.uk
to countries with lower costs and larger
pools of labour, certain jobs may never leave
the UK, or even the in-house IT department.
NOA founding member Nigel Roxburgh said IT professionals in the UK
would not lose their jobs as long as the
economy is growing. He believes that there
are three things – standards, security and
strategy – that should never be outsourced,
and the outsourcing trend merely indicates
a changing corporate business model.
“Outsourcing rarely results in redundancies in organisations that grow, though
things might be different if there is a downturn,” said Roxburgh. “Those in growing
organisations will find more than enough
work to do, if not in IT then with the user
interface side of things.”
A separate report released by the
British Computer Society (BCS) indicates
that the growing trend to offshore IT skills
could cause 12 percent of current UK IT
jobs to be lost by 2010.
OUTSOURCING TRENDS
survey found 72 percent
• ofA recent
firms and 82 percent of suppli-
•
ers see outsourcing as a way to
cut operational costs and increase
organisational flexibility.
The British Computer Society says
12 percent of IT jobs may go offshore by 2010 but most will stay.
Elisabeth Sparrow, chair of the BCS
offshoring working party that produced
the report, predicted that though 12 percent of UK IT professionals may end up
losing their jobs by the end of the decade,
most roles would be safe.
“We have identified a lot of specific
opportunities,” said Sparrow. “There will
be a lot of work remaining onshore for
those working in trusted computing and
security, project and programme management, technical architects dealing with the
whole organisation’s [IT] requirements,
and those pulling in and managing services from different suppliers.”
www.noa.co.uk www.bcs.org.uk
CONTENTS
36 COMMENT New regulations on software patents, computer crime and
the disposal of electronic equipment could alter firms’ priorities in
the coming year, says John Barker
37 INTERVIEW Oracle’s chief security
officer, Mary Ann Davidson, explains
how quarterly patch releases will
give organisations better-tested
fixes in a more convenient form
Firms ignore
green issues
when buying
Madeline Bennett
Environmental issues have little bearing on companies’ IT purchasing decisions, new research has found.This is
despite the current emphasis on corporate social responsibility and forthcoming IT recycling laws.
Only two percent of UK firms
cited environmental friendliness as a
deciding factor when purchasing
equipment such as printers and
copiers, according to a study by
printer manufacturer Ricoh.
Fifty-seven percent said running
costs were the top concern when
choosing new devices, while functionality was an important factor for just
over a fifth of the 612 respondents.
Ricoh’s Tom Wagland said firms’
purchasing criteria meant green
issues had a low priority.“Although
businesses claim to be environmentally friendly, only a small number are
actively implementing green procurement practices,” he said.
Ricoh promotes the use of the
EU’s Energy Star logo – a quality
stamp for environmentally-friendly
goods. But the study indicated almost
two-thirds of UK firms do not have
equipment with this stamp, while 24
percent were unsure on the matter.
The lack of focus on green issues
could soon backfire on firms. Next
year, the UK will introduce IT recycling laws as directed by the EU, to
enforce the environmentally-friendly
disposal of junked electrical goods.
Wagland added that environmentally-friendly goods could also be
friendly to firms’ bank balances.“By
opting for an energy-efficient device,
firms can dramatically reduce running
costs and prolong the life of machines
through power-management features.”
Legal challenges, p36 Last Word, p38
www.ricoh.co.uk/environment
www.eu-energystar.org
35
MANAGEMENTWEEK
IT WEEK • 6 DECEMBER 2004
What legal challenges lie in wait?
New laws on software patents, computer crime and the disposal of electronic equipment
could alter the priorities of firms and IT managers in the coming year, says John Barker
interpret them widely. The courts
have shown a willingness to do this,
and most judgements have interpreted the act in a sensible way.
The technology world might
also be shaken up by new software
patent legislation next year. In June
2004, the European Council of
Ministers approved a controversial
draft Software Patents Directive,
which may open the way for the
patenting of software in Europe.
Currently, in the UK, developers
can protect their proprietary rights
over software by relying on the law
of copyright. There is no defined
registration system as protection is
deemed to arise automatically.
The directive’s stated purpose is
to harmonise patent regulations for
computer-related inventions across
the EU, while steering away from a
US-style patent free-for-all.
However, critics of the proposals
say the European Commission and
the European Council are ignoring
those aims in favour of the interests
of large firms. They say the wording
of the directive would let large firms
build up software patent arsenals,
and so lock out smaller firms from
developing similar products.
Things came to a head late last
month, as the Polish government
blocked the passage of the directive.
The final vote should occur before
the end of the year, and 2005 may
see the death of the directive.
IT equipment recycling will also
pose problems for firms from next
year, with the introduction of European Waste Electrical and Electronic
Equipment (WEEE) laws.
This October, the DTI released
a consultation paper, draft regulations and guidance for the recycling
of commercial electrical and electronic equipment.
The WEEE regulations are due to
come into force on 13 August 2005,
and they will force manufacturers
and distributors of electrical kit to
ensure that systems are in place for
the collection, treatment, recovery
Oracle eases patch control
Oracle’s chief security officer, Mary Ann Davidson, argues
that a transition to quarterly patch releases will provide
firms with better-tested fixes in a more convenient form
PATCHING INTERVIEW BY BRIAN FONSECA
IT Week: As Oracle’s security chief, can you
explain the decision behind the dates for
the new quarterly patch bundles – 18 January, 12 April, 12 July and 18 October?
Mary Ann Davidson: We picked the dates
based on trying to optimise around most
people’s calendars, [and to avoid] blackout
periods. If there are multiple security issues
that affect different products, all those
patches will come out at the same time.
That way, you don’t have to take your system down this month
for the database,
and next month
for the application server. Customers say that
they will have a
meltdown [if it
Davidson:
less disruption
36
it necessary to apply patch bundles] once a
month, but once a quarter seemed something they could live with.
Do you anticipate that any patches will be
released outside of those dates?
There perhaps still may be occasions where
we will do traditional security alerts but
only in cases of high security issues if
there’s a patch available. Generally speaking, we are going to try to adhere to regular schedules. It’s better for us and better
for our customers.
How will you help organisations with their
planning for patches?
We’ll send out reminders. As part of this
effort, we are also looking at how we can
provide better information to customers,
which includes, which patches do I apply
first, be it a database or application server.
We will also try to anticipate questions that
customers will ask us and provide FAQs
[with the bundles]. What you don’t want is
to have people call you for information
[they] should have had in the first place.
How do you respond to recent criticism
from some people in the security research
community that Oracle has been too slow
in rolling out patches?
From a researcher’s standpoint, their definition is, “I told you about [a vulnerability] on Tuesday, and you should have a
patch ready in two days.” But from a customer standpoint, that doesn’t solve their
problem. A customer’s problem isn’t fixed
until they have something in their hands
that has the version they’re running on,
and applying [the patch], isn’t going to
break what they have installed.
Do you agree with security vendors who
say that firms need additional third-party
protection to secure their databases?
There’s a lot that goes into securing your
database, like instructive testing. That’s
something a third party cannot help you
with. It’s our code. If we can’t do that,
there’s nothing a third-party database vendor can help with. Also, in terms of the
and environmentally-friendly disposal of computer hardware.
Businesses classified as “producers” of electrical and electronic
equipment will have obligations to
finance the eventual treatment of
collected waste equipment.
Although they are in the news, I
have not focused on Basel II or the
Data Protection Act, as there will be
no new compliance requirements
for 2005. The US Sarbanes-Oxley
Act, which imposes corporate governance rules on multinationals,
will affect firms in 2005, but that
particular law would need a whole
column and more to itself. ITW
Last Word,p38 [email protected]
• John Barker is an IT specialist at
law firm Last Cawthra Feather
ABOUT MARY ANN DAVIDSON
Ann Davidson is chief security
• Mary
officer at Oracle, where she is
•
•
responsible for security assessments
and incident handling.
Davidson also represents the database giant on the board of directors of the Information Technology
Information Security Analysis
Center (IT-ISAC).
Davidson has also served as a
commissioned officer in the US
Navy Civil Engineer Corps.
[database] security features and functions,
it’s our product, and we feel that we do a
better job with our customers. We don’t
lose business on security.
What are some of your customers’ biggest concerns for database security?
I think a lot of [fears] are driven by regulatory compliance, in a way forcing them to
do good things they may have not done
before. I have had discussions with customers that are using products that have not
been supported for 10 years, and they have
never applied patches. The assumption is
that nothing bad happened and nothing
ever will. Now they want you to do security
analysis to tell them if they’re at risk – especially for mission-critical systems. ITW
www.oracle.com www.eweek.com
itweek.co.uk
© eWeek USA 2004
he Computer Misuse Act
(CMA) came into force in
1990, specifying offences of attacks
against computer systems or data.
It was designed to provide protection for systems and data, and to
help maintain their confidentiality,
integrity and availability.
There is a widely-held view
that the CMA is now deficient
because technology has moved on.
After substantial lobbying by various pressure groups, the government has decided that the legislation should be updated to deal
with new technologies, and
reforms are planned for 2005.
The changes to the law are likely
to cover denial-of-service attacks
and adjust penalties for the offence
of unauthorised access.
However, I am not sure that
these changes are required. The
CMA is technologically neutral,
and its terms – such as “computer”
– are deliberately undefined to provide flexibility for the courts to
T