IT security standards are mainly set by dominant technology suppliers, rather than independent organisations, according to a German information security official.
But many commercial off-the-shelf products do not meet the necessary security standards, Bernd Kowalski of the Federal Office for Information Security told the ISSE 2010 conference in Berlin.
"There is an increasing demand for security certified products, particularly in the US and Europe," he said.
In response, the Common Criteria for Information Technology Security Evaluation standards committee has suspended development of general criteria to focus on emerging technologies, said Bernd.
Criteria for smart metering, cloud computing and other emerging technologies are being fast-tracked, he said, to ensure that security, informed by best practice and current legislation, is included by design.
Ideally, said Bernd, a combination of regulation, legislation and independent technology standards for IT security will become the driving force for securing technologies.
"Hopefully, in future, security will be governed by these standards and implemented in the design phase rather than being added in response to security incidents," he said.