As e-Business continues to mature, we are seeing many changes in the paradigms that define business operations and information technology infrastructure. Not the least of these is the necessity for robust, flexible, user friendly, and cost-effective security solutions. What was once viewed as the precursor to any Internet or electronic venture has now been forced to take a backseat to what are usually highly dynamic business needs, while at the same time remaining an integral aspect of success. This dichotomy is created by the fact that successful e-Business ventures must be rapidly deployed and remain highly adaptive to constantly changing needs, but still offer a certain degree of security and privacy in order to attract and maintain a satisfactory customer base. The following will briefly analyze the factors creating this situation and outline some of the related risk management considerations.
One of the historical conundrums in e-Business has been how to convince a broad user/customer base that Web-based activity is secure. This problem has been exacerbated by sensationalistic media coverage of events that create a highly inaccurate view of what can be termed a “Wild West” Internet landscape. Overkill attention to rare events and the actual misrepresentation of facts related to others have created quite a fervor among the user community over security and privacy concerns.
The true incidence of fraud or theft based solely on Internet activity, however, is fractionally less than what occurs in the brick and mortar world. The chief difference is that when major fraud occurs at a major hotel chain, for example, it isn’t covered by every newspaper or media outlet in the country. Ironically, most credit card fraud occurs during everyday usage (e.g., at hotels, restaurants, and airport ticket counters) and not on the Internet. However, the perception that the Internet is an untamed landscape exists and therefore must be managed.
E-Businesses are constantly faced with the problem of trying to educate and market their various security solutions to their customer base. Magnifying the problem is the fact that there is little or no tolerance for error as any security event, however trivial, will be reported broadly (and probably inaccurately), and the customer base always proves to be totally unforgiving. Currently, privacy has been added to the mix as customers are not only concerned with theft and fraud but also with the custodianship and distribution of any information relating to them or their activity on the Web. Taking all of this into account, the high level of user paranoia hasn’t prevented consumers from becoming more sophisticated and demanding, thus placing a highly difficult strain on any e-Business.
Businesses must manage all of the security and privacy concerns, real or imagined, present a credible message about their efforts in this arena and, at the same time, constantly adapt and provide more flexible, user friendly, and dynamic business solutions. The ultimate decision, driven principally by a highly competitive e-Business community, is to have the business drive the technology, and then adapt security and privacy solutions based on the parameters of the strategic business model. In other words, what was once a condition-precedent infrastructure issue has now, by necessity, become an integral part of the business model.
As an example, the concerns relating to security upon entering the business-to-consumer (B2C) market are different from, but as real as business-to-business (B2B). In a B2C market, the marketability of the security solution needs to be considered, as well as ease of use and flexibility. Conversely, while in a B2B market, one might consider solutions that are more functional in nature due to a more sophisticated customer base. In either case, due consideration will have to be given to security during the development of the business strategy, and could become an integral part of the marketing and deployment strategy as well (albeit almost certainly more often in a B2C model).
In another example, compare the security and privacy needs in an online banking deployment versus the selling of CDs or DVDs online. There will be significant differences in the business risks as well as markedly different expectations of security and privacy from the customers of both. The ultimate success of these ventures can be severely handicapped in the absence of due consideration of security at the earliest stages of strategy development.
In summary, security should be as much a part of any strategic e-Business model as delivery systems. Furthermore, due to the broad scope aspects of perception versus reality, privacy issues, and a highly demanding and dynamic business environment, security should be analyzed and managed in a 360-degree approach covering all aspects of strategy, implementation, and, ultimately, through assessment. This is the only way to provide a linkage between all of these issues that will satisfactorily address risks and controls, from the point of interaction with the user, to ultimate transaction resolution.
A. Michael Smith is a senior manager with Deloitte & Touche.