Everywhere I turn these days, I see some pretty slick distributed security technology. Tools such as Finjan Software Inc.'s SurfinShield Corporate checks the safety of executable files, Java applets and ActiveX components, which float around the network. PKI (public key infrastructure) tools from vendors such as Baltimore Technologies can quickly determine if a user is still authorized to decrypt confidential data, even if that user works at a supplier or is a customer. Sophisticated neural network tools from vendors such as Computer Associates International Inc. scan not only individual servers, but also entire networks for suspicious activity.
That's all well, good and vital. But there's something else security managers need to help develop: trust between their companies and their key business partners. Without such trust, the best security systems in the world won't be enough to enable the cross-company links it takes to survive in a slowing economy.
Consider the case of a mid-sized chemical manufacturer that has gone through the time and expense of installing a full-blown ERP (enterprise resource planning) system and now plans to link that ERP system to its customers and suppliers. Using the Web like this to slash inventory and paperwork costs while improving customer service is "where we start to get some payback from our ERP system," said the company's director of strategic business
"Most of your management doesn't really understand how well security works," the director told me, "so there's this black hole of fear" that a competitor or hacker might get access to proprietary customer lists or product pricing information. Suppliers and customers are just as nervous, which makes them stop short of full electronic integration. One supplier allows the chemical company to automatically generate and e-mail purchase orders but insists on manually re-entering those purchase orders in its own systems, rather than give the chemical firm an electronic link into their system. The supplier's attitude, the director told me, is "We don't want to share our information with you unless you can prove the security is there."
This is where a forward-looking security director can help his company (and his career) by educating his management team, and that of his business partners, about what can and can't be done with today's security tools. Explain to your management, for example, how a database can be configured to let a customer see what's in your warehouses and the price they would pay for a given product, but won't let that customer see the preferred pricing another customer gets. Explain to a business partner how public keys can allow only selected employees within your organization to decrypt confidential e-mails, and how quickly you can grant (or withdraw) these encryption capabilities when an employee's status changes. Explain to both sides exactly what can and can't be done cost-effectively today with a Virtual Private Network.
Of course, the best tech demonstration in the world won't create the needed climate of trust. That's up to the management of both companies, who must prove they are trustworthy by speaking the truth about difficult issues, delivering what they claim and admitting it when they're wrong. As a security manager, you can't make any of that happen, but you can set the stage for such trust by 1) providing robust, granular security on which either company can rely to safely share data and 2) educating management about just what today's security tools can do and how they do it.
Whether or not you succeed in bringing about the brave new world of trust and partnership, you'll gain good visibility with managers at both your company and its business partners. The experience of explaining information technology in a business context can only be good for your resume. And developing those secure systems you'll be showing off will also let you play with some of that neat new security technology.
About the author: Robert L. Scheier is a contributing editor specializing in information technology issues. He can be reached at firstname.lastname@example.org .
This was first published in January 2001