Extranets and the Crown Jewels

As businesses move forward in the networked economy, we are hearing more and more about the "virtual organization." This is typically described as a business having few employees and many temporary hires that serially builds and dismantles work teams as it hops from one project to the next- -all the while.exploiting its knowledge as the lever that makes the business run,

It's a wonderful vision. In theory, this kind of organization would reward knowledge more than financial capital, providing a balance between both kinds of scarce resource and thus enhancing entrepreneurial efforts. But there's a big catch the pundits have either underestimated or ignored: organizational parasites.

About 85 percent of the strategic ideas are developed by about five percent of the participants. But corporate culture works to reward people who claim ideas, so many players optimize their strategy by parasitically claiming others' ideas, spending energy promoting themselves instead of developing value on their own. It tends to be a winning strategy.

It is also often effective in intercompany competition. Industrial espionage is cheaper than R&D, especially in the "virtual company" world, since it's difficult and expensive to nurture the most skilled five percent of researchers. And even if a company has scruples about highjacking ideas from competitors, it's only a little more costly to imitate a product that's already gone to market, and still a lot cheaper than developing it from scratch.

The economics of the system reward parasitic behavior since invention is almost always more expensive than imitation. But rewarding parasites undermines the system as a whole since it encourages fence-sitters to become parasites rather than inventors. Any system can only carry a certain percentage of parasites before it collapses (witness the economy of present-day Russia).

Now mix knowledge management technology into the equation and the problem becomes vastly worse. Competitive intelligence tools are orders of magnitude more effective in the world of the Internet, which puts significantly more facts in a place where they might be cheaply harvested. We're probably two generations of technology away from having the type of neural networks that could grind through the mass quantity of data accessible over the Internet, drawing inferences that will expose virtually any secret. We're not there yet, but the trend appears inevitable.

The bigger concern, and the greater value for the parasitic competitor, is information willingly made available to members of the virtual organization. Extranets, business-to-business portals and shared databases are all part of the "co-opetition" model touted by pundits. The idea is that patching in suppliers and partners to your network will improve the efficiency of your operations, enabling the optimal pricing and team-building that the virtual model promises. Yes, but it also presents more of a danger once those partners become uncoupled. If they're courted by your competition, their value has been enhanced because they've been living in your systems. So instead of promoting rapid recombination, extranets actually create gravitational force for long-term steady relationships. Whoops.

And that's just partners. The same knowledge in the hands of customers may give them negotiating leverage or intelligence they can trade to your competitors for other considerations. Now factor in co-opetitors--organizations with which you simultaneously compete and cooperate- -and the situation becomes truly dangerous. All forms of subtle hacking and data-pilfering become possible, even likely, as companies intermingle their critical business systems.

Defense mechanisms
Most organizations in industries affected by rapid change can't afford to ignore the trend toward interlocking business relationships. But if they can't ignore it, how can they defend their assets while engaging in this more open form of commerce?

The answer is more technology. Cleverer security, not heavier security. Most experienced technology managers know that adding security complexity decreases risk to a point, but that at some point it can actually degrade the protection. People can only cope with a certain amount of inconvenience and still get their work done (as we've seen in the Los Alamos nuclear data migration case).

Security is basically a reactive creation, responding to known or expected security breaches. It's a punch-counterpunch that almost always leaves the security technology a step behind. Fortunately, there are exceptions. Esafe (since acquired by Aladdin Systems) revolutionized virus and security control by ignoring the specific attacking code and instead recognizing the patterns of behavior. Instead of writing code for every manifestation a virus might take, the company provides generic code to limit off-limits actions. That's the kind of simplification we need to increase security in an increasingly interconnected organization.

In the meantime, go ahead and explore virtual organization models. But remember that human and corporate behavior mixes in dangers with opportunities. Master tactical projects before you take on strategic ones. And stomp out parasites wherever you see them.