Tackling E-business Means Redefining Your Security Strategy

Companies no longer have a choice about introducing at least part of their business to the Internet. This necessity is forcing executives to confront more than ever before their exposure to risk.

Of course, there are basic security technologies that every e-commerce engine should employ, but as important as they are, products should take a back seat to more fundamental strategic concerns. These issues can be characterized by questions about information, according to Steve Gold, managing director of supply chain solutions for KPMG in Chicago. "How much do I share? What do I share? How well is it protected?" he asks.

According to Adam Hartung, e-business partner in the consulting group of Computer Sciences Corp. in Chicago, clients are more willing than ever to do business on the Web. "Typically clients want to hold on to a business model that isn't suited to the Web. This old model is based on conflict [and the idea that] information is power, that what I don't tell you allows me to negotiate a better deal."

Playing your cards close to the vest doesn't fit with the new way of doing things, Hartung advises. "It is much more of a cooperative model that requires a new way of thinking from the top down," he says. "The CEO has to get involved."

Learning to Change
As a case in point, a global engineering and construction firm needed to learn new behavior when its executives began searching for ways to streamline operations and build a global extranet. The new network had to support a community of engineers that included suppliers and other business partners, some of which did business with the firm's competition. This organization had a corporate culture typical of the engineering field; it maintained tight control over detailed designs and plans. In a radical departure from tradition, the executives decided to share this information with business partners over the new extranet.

"They could have taken the view that this type of information must never be allowed outside the company," says Eric Darr, coleader of the knowledge management practice at Ernst & Young LLP in Philadelphia. But the construction firm saw a competitive advantage in sharing detailed plans that before had been top secret.

This company's designs, however strategically valuable they may be, actually would be useless to others. Only a few firms compete in this market, and each has its own way of doing things. The company had much to gain from sharing information because suppliers and other business partners were brought into the loop much earlier in project cycles.

"There are two things companies need to figure out before they venture into e-commerce," says Lloyd Hession, managing director of e-practices for the Giga Information Group in Newark, N.J. "The first is that this is all new ground. You have no actuarial history, and traditional risk assessment always requires a history. The second thing is that you simply have no choice. If you don't change and adapt, you will be out of business."

Hession says that executives should not spend time worrying about headline-grabbing hack attacks. While these risks remain a threat, he says, they are relatively easy to block and filter with firewalls and intrusion-detection systems.

More sophisticated attacks often make "semi-legitimate" use of a business application and are therefore harder to detect. "Suppose you are a life insurance company. You have always given premium quotes over the phone to callers who supply the necessary data--age, marital status, et cetera. Of course you want to do the same thing on the Web. But if I am a reasonably competent programmer, it is easy for me to write a program that goes to your Web site and obtains quotes for the entire population of insurable customers. Then I can reverse-engineer your premium structure. That is sensitive information that you would never voluntarily part with."

Old Problems, New Threats
VWR Scientific Products of West Chester, Pa., supplies equipment to laboratories. "The new, Web-based supply chain automation tools are great solutions," says Scott Witmoyer, manager of EDI services. "We support them, but we have to watch things very closely or we risk losing some of our oldest business partners."

Some of these partners have embraced new trading platforms from vendors such as Ariba and Commerce One. The problem for VWR is that Web-based trading programs don't automatically send the data that Witmoyer needs to invoice customers. As a result, he spends a lot of time monitoring any new trading software his customers might install. "We have consultants tracking this," he says. "We try to let our customers know ahead of time that if they decide to use one of these new packages, they may not get the kind of bill they are used to."

He expects that experience and technology advances will mitigate the worst of these problems. "XML will make things easier as the standards mature," he predicts. "Then it should be possible to build a solution once and implement it many times."

The Dreaded D Word
Such a billing predicament might sound mundane, but it represents a serious threats in the e-business age, according to KPMG's Gold. Disintermediation--the removal of a middleman from a process--can strike quickly. If a competitor or a loyal business partner can find a way to do something faster and cheaper over the Web, the intermediary's business can disappear. John Holt is CEO of the Cobalt Group in Seattle, which utilizes the Web to help auto manufacturers and dealers present a more integrated sales approach to customers. "There is always talk of cutting the dealer out of the loop, but I don't think it will happen," says Holt. "No matter what people say, the dealer provides a service that is hard to emulate."

Yet dealers see a risk in joining forces on the Web, where one of the oldest business issues is raised again. "Who owns the customer?" says Holt.

While selling cars is specialized, the operational risks that the Web introduces are general. "In assessing all the risks involved, dealers essentially have three choices," Holt says. "They can opt not to do business on the Internet, but that is suicide. They can choose to go it alone with a Web site that is completely independent of the manufacturer. This gives the dealer total control of customer data, so there is less fear that the manufacturer will lure the customer from a Ford to a Volvo. The third option is to partner with the manufacturer. This introduces the risk of losing control of the customer, but the advantages of a joint approach are substantial--if someone can find a mutually satisfactory way to share the customer."

Gold argues that in this case, it is far riskier to clam up than to open up. "Cross-collaboration and sharing design specs with trading partners have proven to be successful in the high-tech industry, and many of the same arguments apply to the making of cars."

Sensitivity Scale
Specialized data aside, Gold points out that not all information is equal. "Design specs are really not that sensitive," he says. "Things like the pricing of commodities might be."

The role of the CTO is critical in making these distinctions, Gold says. "The CTO's job comes to the forefront here. You need someone who sits at the intersection of the business and the technology to make these calls. In the automobile industry, for example, there is little risk in letting the world know what you pay for commodities like pencils and paper clips. But for commodities like tires and sheet metal, the pricing is more sensitive."

Once an organization accepts the operational risks of taking its business to the Web, the technical issues, while important, are largely commodity purchases. "In the past most businesses built a moat around the castle--that was the way they approached security," says Carl Kessler, vice president and general manager for the SecureWay product line at Tivoli Systems in Austin, Texas. "But in this new electronic marketplace the last place you want to find yourself is behind a moat."