If business collaboration and ecommerce is to succeed, IT vendors must build more secure, trustworthy products.

This is the view expressed by influential user group the Jericho Forum in its first IT security manifesto, obtained by Computing in advance of its publication this month.

The forum, made up of 50 global firms including Rolls-Royce, KPMG, BP, Royal Mail, ICI and Royal Bank of Scotland, plans to develop and influence new security standards for IT and communications and use its buying power to introduce lower-cost business collaboration technologies.

'We believe vendors will adopt Jericho standards for the best commercial reason there is: future sales,' Paul Dorey, chief information security officer at BP, told Computing.

The forum's Visioning White Paper urges vendors to create interoperable technologies that provide low-cost secure connectivity, support roaming employees, allow secure external access to business applications, and improve flexibility.

'We are looking to drive forward cross-organisation security processes, open security standards, and build trust and assurance,' said Nick Bleech, head of security management services at KPMG.

Central to the initiative will be the creation of products and standards that 'can determine the relative level of trustworthiness' of an individual, organisation or technology, the report says.

The group also proposes the creation of technology that can ascertain the safety of a device, so that trust can be built between machines.

'Security training, such as the Certified Information System Security Professional scheme, covers the knowledge-base of security professionals, and BS7799/ISO17799 standards cover how the security of an organisation is managed,' said Dorey. 'Both of these are good scene-setters that help companies see how much they can trust one another to be secure.

'But how can I know that your computer is secure enough to be linked to my network? What we need is a standard that allows a system to say in real time what its security level is. If you use a different anti-virus product to me, how do I know what protection you have? Are your security settings and patch levels appropriate for the security needed by the end-to-end system? These are missing frameworks at the moment.'

The Jericho Forum hopes that, by outlining the future needs of multinational businesses, it can spur research and development opportunities for the technology industry.

'We are already engaging with the likes of Microsoft and Cisco, but I think there's also space for a lot of fresh thinking,' said David Lacey, director of information security at Royal Mail.

'We want to encourage new start-ups and early-stage ventures so we can have more imaginative solutions.'

The group plans to test the strength and interoperability of new products, a process which will call upon the IT departments of forum members to push new technologies to their limit.

'Many Jericho member companies already do proof-of-concept tests,' said Dorey. 'The product trials will be an extension of these where we will share our findings and do tests together to Jericho Forum standards, rather than just our own standards.'

The group will scrutinise products to ensure they meet vendors' claims, says Bleech.

'The security industry has a terrible image problem of putting out grand specifications, thinking that the world will become more secure. But these days it is about rapid developments and extreme testing,' he said.

The forum plans to set up working groups to produce more in-depth specifications, and will invite vendors to join.

'Jericho users do not build products; we need vendors to provide us with security solutions,' said Dorey. 'They will be free to contribute ideas and form standards working groups to respond to the user scenarios.'

What the Jericho Forum experts say

Paul Dorey, chief information security officer, BP

We believe vendors will adopt Jericho standards for the best commercial reason there is - future sales. We will increasingly specify these standards as mandatory requirements and will buy products that meet them.

Two key areas where standards are required are in the protection of individual components, such as clients, servers, disk drives and data elements, and in establishing interoperability of security services.

Nick Bleech, head of security management services, KPMG

It's about enabling and building confidence in business collaboration over the internet. We are looking to drive forward cross-organisation security processes, open security standards, and build trust and assurance.

By working through large purchasing organisations, such as BP, ICI and Standard Chartered Bank, and by them talking to their vendors, suppliers will start to understand what the Jericho Forum wants to achieve.

David Lacey, director of information security, Royal Mail

The need for trust and assurance goes right across the board and affects technology, organisations and individuals. If we can bring together best practice such as BS7799, product certification and individual training standards, then we can move towards a more disciplined way of working together.

We are lobbying across the board to sell this vision, and we want to turn the verbal support we have had so far into something more concrete.