When Microsoft published its position paper on trustworthy computing in 2002, they builds their proposition on four pillars:
- Business Practices
Of those, the world of software developers jumped on the first three. Improving security, privacy and reliability became the objective (or even obsession) of many companies. The fourth one, business practices (later renamed to ‘business integrity’) enjoyed much less spotlight.
There is a reason for it, of sources. It is easier to improve on your software and hardware products than on the way you conduct business. It is easier to request high moral standards from software developers than from business developers, from testers than from sales people.
However, Microsoft was right. Without putting your business in order, you will not be able to create software that is truly trustworthy. No level of reliability and security (or even privacy) can compensate for it. They all will remain unfulfilled promises, and promises only.
The most important reason for it is the fact, that the majority of our software is managed. Even if you think you simply buy the product, you in effect you enter in the relationship. You are dependent on weekly or daily updates. You are dependent on the company you bought your product from, and on the way they conduct business.
This may be bleeding obvious to you, but is it really included in your everyday risk assessment? Are you willing to pay more for a product from the trustworthy company only because it saves you problems down the line? Or are you forced to chase the cheapest option, only to be disappointed once you pass your money to them?
The challenge of being trustworthy is not only at the manufacturer side. Without us acknowledging this trustworthiness (and willing to pay for it), business integrity and trustworthy software will be as unavailable as ever.