SAN MATEO (05/15/2000) - Today's CTO, perhaps more than any other top executive, needs a keen sense of balance. The emerging role comes with a unique mission to drive new business opportunities through the creative use of technology. This means finding the right balance between the Internet's rewards and business risks.
And CTOs -- whether they work for dot-coms or established brick-and-mortar companies -- find themselves in near unanimous agreement on two key business concerns. First, there is no longer a choice about exposing at least part of your business on the Internet. Second, protecting your company from the associated business risks is about much more than basic security technology.
Business issues -- both obvious and subtle -- can be more important than firewalls in ensuring a secure e-business venture.
Many of these concerns are new to the technology leader's domain, not things that CIOs of yesteryear spent much time worrying about. But the e-business climate means both business and technology issues are imperative for the new CTO.
John Keast, CTO of NetworkOil Inc., a digital marketplace for the oil and gas industry in Houston, puts it this way: "I have been a CIO, and now I am a CTO.
In many ways the jobs aren't that different, but there is one crucial difference. As CIO your department is far more likely to be viewed as a cost center, but as CTO you preside over a profit center."
Thus CTOs are just as concerned with growing the business as they are with the technology that enables it -- and introduces risks. For starters, there is the ever-present concern that the Web gives competitors a way to gather intelligence and use it against you. Web site performance is another critical issue in evaluating risk in terms of potential business loss. And the Web raises a host of new problems about protecting brand integrity and keeping customers.
These are precisely the kinds of business vulnerabilities that require a CTO to step outside the firewall realm and use a little creativity and business sense to assess risk for e-business.
"You have to use your imagination," says Marc Hansen, CTO of iEngineer.com, a San Francisco business-to-business portal for mechanical engineers in the manufacturing industry. "As CTO, you have to be the one senior executive who can visualize, understand, and evaluate risks that technology introduces to the business. This is critical for one reason. There is no one else in management who can do it."
Identifying points of vulnerability
What your e-business presents to the rest of the world is vital to your company's success, but it also creates new concerns for CTOs because it can be used against you.
There is always a risk in revealing information. Lloyd Hession, analyst at Giga Information Group Inc. in Newark, New Jersey, offers the following example to illustrate how someone could "legitimately" grab corporate secrets from your e-business site.
"Take an insurance company site," Hession says. "The company wants to let prospective customers enter various parameters -- age, job, etc. -- to get rate quotes. That is an essential part of the business plan. But a competitor can easily design a program to enter a wide range of parameters and quickly obtain thousands of quotes. Those quotes then allow that competitor to reverse engineer the company's premium structure."
In this example, there was no hacking at all, but the company inadvertently delivered the family jewels into the hands of the enemy. It is a breach that, even with the best security technology in place, could go undetected for years.
"This kind of thing is easily overlooked," Hession says. "All too often the security focus is on the low-level stuff, such as DDoS [distributed denial of service] attacks."
Yosee Feldman, CTO of Fairfield, New Jersey-based ProcureNet, a business-to-business procurement provider, says that although CTOs need to think about the dangers of competitive intelligence gathering, they shouldn't get too hung up about it.
"The fact is that in this new economy, many things that used to be secret will no longer be," Feldman says. "It is something we will all have to get used to."
His advice to CTOs is to concentrate on accumulating knowledge.
"You should focus on building things that are hard to imitate. Then you are secure since you have created something that no one else can easily use; it is your core business value," Feldman explains.
Jim Dai, CTO at Vivant.com Corp., in Oakland, California, agrees.
"We are an IT contractor marketplace," Dai says. "Freelance IT workers post to our site, and businesses go there to find those skilled people. Now anyone who visits our site can see what we are up to."
But, Dai explains, it is not a big security risk. "We are much more than a Web site," he says. "The applications we have deployed on the back end would be very hard to duplicate, even if you could reverse engineer their functions."
Dai is constantly incorporating new features based on feedback from Vivant's clients, so the business value for taking such a risk lies in the Web community the company has created together with the technology. It is a synergy which, he says, would be nearly impossible to duplicate without a major development effort.
Avoiding performance potholes
When assessing e-business risks, one of the first tough decisions a CTO will face is choosing the right architecture for the company's Internet endeavors.
Before joining iEngineering.com last summer, CTO Mark Hansen learned a valuable lesson about the strategic implications of architecture as vice president of systems architecture at J. Crew, the New Yorkbased clothing retailer.
"When we put up the J. Crew.com Web site, I had a good idea of what kind of transaction volume to expect, so we built a system to handle it," Hansen explains.
And it did. The problem, he says, came five days later when the site gained popularity.
"I was perpetually startled," Hansen recalls. "We would rearchitect for [10 times the] growth and the same thing would happen, over and over again."
The lesson was scalability and avoiding downtime -- a business risk that can really cost you.
"I have seen retail Web businesses where one minute of downtime can cost $20,000," Hansen says.
For Web retailers, poor performance or downtime due to inadequate resources can mean loss of revenue. But for business-to-business digital exchanges such as ProcureNet, it can quickly translate into something more serious: loss of customers.
ProcureNet Inc.'s Feldman says that his customers are extremely sensitive to the perception of efficiency.
"This is security on a more philosophical level," Feldman says, "but the issue is quite real. Our ability to retain customers depends on maintaining the quality of our site -- no matter how fast we scale."
Hansen says scalability will typically not be a problem if you design for it, and he has some definite preferences.
"The biggest mistake you could possibly make would be to deploy the Microsoft SQL Server database," Hansen says. "It's the most unscalable platform there is.
So we use Oracle. It's not that I love Oracle -- their philosophy is to grab you by the ankles and shake until all the money comes out -- but the product will scale."
Performance risks also affect the look and feel of your e-business, which, in turn, communicates something about your brand. At San Francisco cookware vendor Williams-Sonoma, where brand is elevated almost to a religion, a badly architected site would be seen as a major e-business menace.
"There is no way to mitigate bad technology," says Sean McHugh, manager of e-commerce infrastructure at Williams-Sonoma. "Poor performance hurts your image. I sell my senior executives on better technology -- things like more bandwidth -- by explaining that it protects our brand."
Covering your bases
Although CTOs are at the focal point of managing these high-level business risks, they are still keenly aware of the importance of a secure technical foundation. Still, CTOs must also rise above hacker hype and technical details to keep overall business risks in perspective.
"Basic security is the most obvious part of my job," Hansen says, explaining that a well-tuned e-commerce portal will almost always have a firewall, intrusion detection hardware and software, and authorization systems. The latter could include tokens and a public key infrastructure.
"[But] the other thing that is critical when it comes to the basic security infrastructure is an expert," Hansen adds. "If you allow yourself to get sucked into the minutia of security technology, you won't have the bandwidth to do what you need to do as CTO -- which is to understand the business and make the right technical decisions for the business. You need to keep an eye on the big picture."
McHugh agrees that you should really delegate the nuts-and-bolts security issues.
"We use a team of consultants from Lucent Technologies," McHugh says. "You have to have someone doing this. I keep track of it, but I can't afford to spend all my time on it."
When it comes to basics, another issue that garners widespread agreement from CTOs is the need to keep it simple.
"As CTO you need to be wary of CEOs and senior executives who get carried away by new, bleeding-edge technology," Hansen says. "It is your job to help management face reality -- which is that it's usually best to stick to tried-and-true standards."
NetworkOil's Keast says this is why he uses Cisco Systems Inc.'s Pix firewalls.
"You don't want to buy anything too exotic for this kind of stuff," Keast explains. "If you do, you will have a hard time finding people who are trained well enough to be experts."
At the basic technical level, managing e-business risk is primarily about making sure legitimate users get access, and that corporate data is protected.
"The biggest risk any business faces with exposure on the Web," McHugh says, "is that of someone getting to your core. We have two primary systems, an AS/400 box and an RS/6000 machine running Oracle. We employ multiple firewalls to protect these."
He also uses a security monitoring tool from Internet Security Systems to act as an additional watchdog.
"This gives us a way to monitor more closely what people are doing," McHugh says.
Finding the right balance
No one denies that these security technologies are job No. 1 for any CTO.
Without them, you needlessly expose your business to tremendous risk. But most agree that they are the easy things to put in place.
"In the final analysis, all this stuff is readily available," says Jeff Ungar, CTO at ePod Corp., a New York vendor of embedded e-storefronts. "It is also secondary to the most important security task of assessing risk, which is not a technical issue."
If Dai and Feldman are right, then one of the most important risk management tasks you can perform is to build an e-business that's hard to imitate. Feldman thinks this will naturally take place if the CTO really succeeds in bringing the technology in line with the business.
"[Business] secrets will be less important in the future," Feldman says. "This is something the CEO needs to understand. These roles are new and evolving.
Neither one is isolated anymore."
When NetworkOil's Keast says, "I don't have much of a problem selling my CEO on basic security technology," he really demonstrates how far evolved the CTO's role is from that of IT executives in days past. There is no longer any question about how critical technology is to the core business.
The real question is how to deploy e-business technology with minimal risk.
CTOs agree that the answer is about finding the right balance, both for long-term strategy and day-to-day efficiency.
Putting thorough policies in place
The e-commerce tidal wave is forcing many CTOs to take charge of an unfamiliar risk-management role, bearing the burden of setting protective policies and procedures amid a wide-open virtual access world.
"Historically, security has not been the CTO's role," says Dennis Szerszen, director of security strategies at Hurwitz Group, in Framingham, Massachusetts.
"But here's e-business all of a sudden, and the CTO's responsibility is to enable e-business. Now the CTO has to demonstrate to the company how they are containing risk."
Szerszen says the lion's share of assessing risks and implementing effective security begins with up-front planning. Natural components of the plan should include administration (user access and authentication), audibility capabilities (nonrepudiation and transaction records), and deployment of the security infrastructure (performance vs. overhead cost).
Of course, transmuting the security rules of a large brick-and-mortar company into one fully immersed in the blitzkrieg Web presence arena should include both internal and external concerns, says Michael Dunn, CTO at Time Warner Inc., in New York.
"The focus shouldn't simply be on SSL [Secure Sockets Layer] but needs to include who on your team has access to what servers and data, how your data servers are accessed by your applications, and how the actual fulfillment process is performed to ensure that it is both private and secure," Dunn says.
Keep in mind that the prime directive of a security policy could shift depending on circumstances affecting different parts of the system at the moment, says Doug Dalton, CTO at Gloss.com, in San Francisco.
"The No. 1 concern for us is customer privacy," Dalton says. "The focus changes when a vulnerability is exposed publicly. We then make sure that our systems are not vulnerable and are up-to-date in recommended patches and versions."
Bizrate.com's Henry Asseily says that the best defense may be having a strong networking partner to complement deployed security technology -- offering an extra set of eyes to monitor system attacks.
Finding the fine line between setting a security policy that is not too stringent, yet not too lenient, is crucial for CTOs to grasp, says Amine Mekkaoui, managing director and vice president at the Information Security Group of ZEFER.
Before you outsource: know thyself
It happens all the time. Your business desperately needs a Web site, but neither the CTO nor CIO has the resources to build it fast enough.
"Typically the CTO then goes to an Internet service firm," says Dan Woods, CTO at CapitalThinking, in New York. "They are plentiful, but they're not cheap."
Unfortunately, money doesn't necessarily buy happiness -- or a secure Web site.
Leanne Waldal, CEO of Otivo, a San Francisco Web quality assurance firm, gets to see Web outsourcing casualties in gory detail.
"Many of our clients are businesses who have outsourced their Web development to Internet service companies," Waldal says. "They come to us when their online customers start complaining. We frequently have to tell them, 'Your Web developer did a lousy job -- they picked the wrong technology and never tested it properly.'"A poorly implemented Web site is more than annoying, says Doug Dalton, CTO at Gloss.com, a San Francisco online cosmetics vendor.
"It's a security risk," says Dalton. "Loss of goodwill with customers can bring your business down even more quickly than loss of data."
Both Woods and Waldal say that even some of the best-known service firms, with high-flying stocks and Fortune 1000 clients, are leaving a trail of tears in IT shops across the land.
One solution is to keep it all in-house, but for many CTOs that would simply translate into: "We'll build our Web site sometime this millennium -- if we can find the time."
But a solution isn't out of reach. The most common problem, Waldal says, is lack of knowledge about your company -- and this can be addressed before you call for help.
"Outsourcing is a relationship," Waldal says, "and the primary requirement in any successful relationship is to know yourself. Many of our clients find themselves in trouble because they didn't know what they wanted. If you just go to a Web developer and say, 'Build me a Web site,' you are asking for trouble."
"You simply cannot trust an outsourcer to magically apply the right technology to your specific business needs," Woods says. "Speed -- without proper due diligence -- can seriously compromise your security."
Giga Information Group Analyst Lloyd Hession also thinks an outsourcing relationship should start at home.
"You won't be able to make good use of the talent you bring in unless you understand the talent you already have," Hession says. "Know thyself."