Speaking after the embarrassing leak of Windows 2000 and NT4 source code on to the web this month, David Lacey, chairman of the forum and director of security and risk management at the Post Office, said "security by obscurity" would not be an option for businesses in the future.
IT security will have to change radically over the next few years to allow businesses to communicate with suppliers and customers across potentially insecure public networks, said Lacey. This means moving security to the data level.
Just as businesses no longer rely on the secrecy of encryption algorithms to protect their data, software suppliers should not be reliant on the secrecy of their source code, Lacey said.
"Microsoft source code gets exposed to so many contractors and partners that there is always a risk it will come out at some point," he said. "Microsoft should design secure systems where it does not matter if it gets out."
Lacey said Microsoft deserved credit for taking the lead on security, but warned it had a long way to go before it reached the levels the industry was looking for.
Stuart Okin, UK security chief, said he agreed with Lacey's comments and Microsoft was already designing code capable of being widely shared without compromising security. "We absolutely firmly believe in Jericho's vision. It's about protecting the individual data items, rather than putting protection around your perimeter," he said. He added that the Windows source code leak would pose only a limited security risk.