There is no longer a choice about exposing at least part of your business on the Internet. However, protecting your company from the associated business risks is about much more than basic security technology. Business issues - both obvious and subtle - can be more important than firewalls in ensuring a secure e-business venture. Mark Leon examines the risksTechnology leaders in the e-business climate are just as concerned with growing the business as they are with the technology that enables it - and introduces risks. For starters, there is the ever-present concern that the Web gives competitors a way to gather intelligence and use it against you.
Web site performance is another critical issue in evaluating risk in terms of potential business loss. And the Web raises a host of new problems about protecting brand integrity and keeping customers.
These are precisely the kinds of business vulnerabilities that require technology chiefs to step outside the firewall realm and use a little creativity and business sense to assess risk for e-business.
What your e-business presents to the rest of the world is vital to your company's success, but it also creates new concerns because there is always a risk in revealing information.
Lloyd Hession, analyst at Giga Information Group, offers the following example to illustrate how someone could "legitimately" grab corporate secrets from your e-business site.
"Take an insurance company site," Hession says. "The company wants to let prospective customers enter various parameters - age, job, and so on - to get quotes. That is an essential part of the business plan.
But a competitor can easily design a program to enter a wide range of parameters and quickly obtain thousands of quotes. Those quotes then allow that competitor to reverse engineer the company's premium structure."
In this example, there was no hacking at all, but the company inadvertently delivered the family jewels into the hands of the enemy. It is a breach that, even with the best security technology in place, could go undetected for years.
"This kind of thing is easily overlooked," Hession says. "All too often the security focus is on the low-level stuff, such as DDoS [distributed denial of service] attacks."
When assessing e-business risks, one of the first tough decisions is choosing the right architecture for the company's Internet endeavours.
Avoiding performance potholes
Before joining iEngineering.com, Mark Hansen learned a valuable lesson about the strategic implications of architecture as vice president of systems architecture at a clothing retailer.
"When we put up the Web site, I had a good idea of what kind of transaction volume to expect, so we built a system to handle it," Hansen explains.
And it did. The problem, he says, came five days later when the site gained popularity.
"I was perpetually startled," Hansen recalls. "We would re-architect for 10 times the growth and the same thing would happen, over and over again."
The lesson was scalability and avoiding downtime - a business risk that can really cost you.
"I have seen retail Web businesses where one minute of downtime can cost $20,000," Hansen says.
For Web retailers, poor performance or downtime due to inadequate resources can mean loss of revenue. But for business-to-business digital exchanges it can quickly translate into something more serious: loss of customers.
Performance risks also affect the look and feel of your e-business, which, in turn, communicates something about your brand. There is no way to mitigate bad technology, and poor performance hurts your image. Senior executives can be sold on better technology - things like more bandwidth - by explaining that it protects the brand.
Covering your bases
"Basic security is the most obvious part of my job," Hansen says, explaining that a well-tuned e-commerce portal will almost always have a firewall, intrusion detection hardware and software, and authorisation systems. The latter could include tokens and a public key infrastructure.
"[But] the other thing that is critical when it comes to the basic security infrastructure is an expert," Hansen adds. "If you allow yourself to get sucked into the minutia of security technology, you won't have the bandwidth to understand the business and make the right technical decisions for the business. You need to keep an eye on the big picture."
When it comes to basics, another issue that garners widespread agreement is the need to keep it simple.
"You need to be wary of CEOs and senior executives who get carried away by new, bleeding-edge technology," Hansen says. "It is your job to help management face reality - which is that it's usually best to stick to tried-and-true standards."
You don't want to buy anything too exotic, because if you do, you will have a hard time finding people who are trained well enough to be experts. At the basic technical level, managing e-business risk is primarily about making sure legitimate users get access, and that corporate data is protected.
The biggest risk any business faces with exposure on the Web is that of someone getting to your core. However, putting security technologies in place is the easy part, and secondary to the task of assessing risk, which is not a technical issue.
Before you outsource: know thyself
The real question is how to deploy e-business technology with minimal risk. The answer is about finding the right balance, both for long-term strategy and day-to-day efficiency.
To achieve this end, organisations must walk a fine line between setting a security policy that is not too stringent, yet not too lenient.
The lion's share of assessing risks and implementing effective security begins with up-front planning. Natural components of the plan should include administration (user access and authentication), auditing capabilities (non-repudiation and transaction records), and deployment of the security infrastructure (performance vs overhead cost).
"Keep in mind that the prime directive of a security policy could shift depending on circumstances affecting different parts of the system at the moment," says Doug Dalton, chief technology officer at online cosmetics vendor Gloss.com.
"The No 1 concern for us is customer privacy," Dalton says. "The focus changes when a vulnerability is exposed publicly. We then make sure that our systems are not vulnerable and are up to date in recommended patches and versions."
It happens all the time. Your business desperately needs a Web site, but the resources to build it fast enough aren't available.
However, even some of the best-known service companies, with high-flying stocks and major corporate clients, manage to leave a trail of tears in IT shops across the land.
One solution is to keep it all in-house, but for many organisations, that would simply translate into: "We'll build our Web site sometime this millennium - if we can find the time."
But a solution isn't out of reach. The most common problem is lack of knowledge about your company - and this can be addressed before you call for help. Outsourcing is a relationship and the primary requirement in any successful relationship is to know yourself.
Many organisations find themselves in trouble because they didn't know what they wanted, they just go to a Web developer and say, Build me a Web site'. You simply cannot trust an outsourcer to magically apply the right technology to your specific business needs. Speed - without proper due diligence - can seriously compromise your security.
Metrics for e-success
What happens when your CEO hauls you into the corner office and asks, "What will this e-commerce initiative contribute to my business?" How will you respond when the CFO throws up a challenging remark, "We're giving you the budget you demanded, what's the return?"
Knowing the right answers - or better yet, ensuring that those questions need never be asked - can mean the difference between success and failure in the high-pressure world of today's IT executives. Meta Group calls the art of reinforcing businesses' perception of IT's credibility "value management". Other analysts and top IT executives have their own names for assessing, measuring, and communicating the value of technology. Horse sense might be one of them.
But whatever you call it, all agree: top IT executives who adroitly address the connection between technology and business are solid managers. And those who flounder, before or after they have been hauled over the carpet, had better polish their management skills, quickly. This fine art is especially critical in an Internet economy. In this bold new world where business and technology intertwine, some of the traditional metrics used to judge technology spending no longer work.
Setting cohesive business goals
Evaluating the potential payoff of an IT initiative demands examination of the business strategy behind the effort. Consider whether the effort is intended to increase transactional efficiency, improve customer loyalty and retention, drive revenue, or provide a new channel of distribution. The need for a strategic understanding of the business is so much greater when you talk about e-business because it touches your customers and your business partners.
Crossing the cultural divide
But the business-oriented approach is not easy for IT organisations and managers schooled in the old ways, said Steve Diorio, president of IMT Strategies, a Meta Group affiliate. A cultural gap exists between the performance measurements employed by IT and the lines of business, Diorio explains. When traditional IT managers talk about strategy, they're thinking in terms of architecture. When sales and marketing managers talk about strategy, they're thinking about a growth plan, he says.
When traditional IT managers consider ROI (return on investment) milestones, they are likely comparing the performance of software and hardware against the budget they have received to buy, make, and implement the solution. When sales and marketing managers contemplate ROI, they are thinking about revenue growth and market share, Diorio says. The cultural divide continues in perceptions about objectives, planning, organisation, and incentives, he addsTraditionally, IT has been viewed as a cost centre, but now it should be value-based. The companies that succeed will be those that integrate IT and business strategies, defining e-business systems to drive customer acquisition, market penetration, and customer retention.