Many readers will think Bill Gates's recent admission that security should be a top priority at Microsoft was long overdue.

In an email to employees, the software giant's chairman said that Microsoft would shift its focus from adding features to beefing up security under an initiative called Trustworthy Computing.

So what prompted Gates to commit to the one thing that everyone with the vaguest connection to a computer has been asking him to do for years?

In the past, Microsoft and other vendors have been happy to churn out a stream of budget consuming new products, and rely on the fire-fighting skills of systems administrators to maintain security.

The company has previously enjoyed the luxury of supplying its incredibly feature-rich, user friendly software without much competition.

But times are changing. The open source community has become increasingly commercial and is launching more and more user friendly products and operating systems, all of which enjoy an excellent reputation for security. Many observers say the folk at Microsoft are now taking the threat more seriously.

At the same time, administrators are less willing to accept the dominance of Microsoft, as IT staff bemoan the number of patches they are forced to install and regularly update to ensure an adequate level of digital security.

Security vulnerabilities have plagued Microsoft since the year dot - and even more so since the year of .Net - when the company placed all bets on web services, gambling on this being the future of software provision.

But success hinges on security and, given Microsoft's reputation, most IT directors are more than a little uneasy at connecting their networks with its products over the internet.

Against this backdrop, Microsoft recently suffered a 13 per cent fall in net income to £1.6bn in the final three months of 2001, after lawyers landed it with a $660m bill for the antitrust lawsuit.

And although the order book looks rosy the software giant now appears vulnerable, something that would have been unthinkable two or three years ago.

Perhaps most interesting of all, Gates's email followed a recommendation by the National Academy of Sciences for the US Congress to make it easier to punish firms that produce insecure software and put businesses and consumers at risk.

In a draft report on the state of IT security after 11 September, this panel went further than any other respected industry think tank in attempting to render manufacturers liable for system breaches.

The plan has been shot down by many observers, because the necessary legislation would run counter to everything that has been established over the last few years. But it is important that the argument has been publicised; vendors have had it all their own way for too long.

It remains to be seen whether Gates will deliver. In these days of spin, many at Microsoft may believe that making the right noises will be just as effective - and cheaper - than making the right products. "Trustworthy Computing" has a lovely ring to it, but would Microsoft ever delay a launch to make its software truly secure?

Until the vendors make products more secure and IT directors enforce vigilant policies, IT will always be seen as a broken window in the modern business office.