Information Security in the Age of the Extended Enterprise*

Information Security in the Age of the Extended Enterprise^*
Tuck School of Business

By M. Eric Johnson
Professor and Director, Center of Digital Strategies

Business integration, once accomplished by physically co-locating legions of employees in large vertically integrated firms, has been unshackled by information technology (IT). The rise of cheap computing linked together via the Internet has so rapidly changed the way work is organized and conducted that executives, management theorists, and policy makers are all struggling to understand the full spectrum of opportunities and consequences. Opportunities, such as outsourcing, are enabling huge cost reductions and the creation of many new business models. Consequences, such as the fight to maintain information private and secure, cost firms billons of dollars and create risks unimagined ten years ago.

For firms like Hewlett-Packard, the changes have been breathtaking. Only a few years ago, HP located product designers, marketers, and manufacturing workers in the same campus. Products on the workbench in R&D could be carried down a single flight of stairs to an assembly line for prototyping and testing. Marketers played volleyball over the lunch hour with design engineers - often exchanging ideas on customer needs or competitive threats. Today, many of those same individuals work within an extended enterprise comprising different companies spread over globe and communicating via the web. Through a web browser, a designer can implement an engineering change for a factory half a world away; a procurement specialist can change a supplier order; a supply chain manager can monitor an outsourced factory's production; or a customer engineer can coordinate a delivery. And every one of those interactions could be potentially observed or disrupted by youthful hackers seeking a thrill or other more malicious individuals pursuing competitive gain.

These changes are certainly not limited to technology firms like HP. The Internet has dramatically improved the ability of firms, of any type or size, to shift work to it most efficient location. For example, Wal-Mart has moved many traditional retail functions back to its suppliers and now requires all of them to use electronic communications for coordinating routine purchasing and supply chain planning. Likewise, auto makers such as GM have pushed product design functions back to their suppliers and now exchange detailed product design information over the web with suppliers around the globe. This increasing dependence on information availability coupled with rising fears of Internet security has led many global companies to make substantial invests in secure enterprise computing platforms. Yet, when recently surveyed by Information World, few CIOs said they felt truly secure. For many smaller firms, information security is a more serious question: routine viruses and worms often have a disproportionate effect on smaller firms.

Now, with the rush towards outsourcing and low cost sourcing, nearly all large firms face risks within their own company and across their supplier base. These risks run the range of supply disruptions and delays to theft of shared intellectual property and customer disappointment. Often these risks stem from a key business enabler - IT integration both within and across firms. Virtual teams with members from different firms mingle corporate and personal data communicated on a wide range of personal devices from laptops to PDAs and cell phones - many of which have security gaps. Seeking to speed every aspect of their business, firms have stitched together many applications from manufacturing and distribution to accounting and human resources. In doing so, they often inadvertently expose new security vulnerabilities. For example, many older manufacturing control applications were developed to run in isolation - with little thought to security. Exposing those systems through integration to other business systems often opens many network vulnerabilities. Likewise, when two firms tie their networks together to speed the free flow of information, imbalances in network security can lead to new vulnerabilities - a virtual animal swing door between the two firms where anything can come and go. Integration between firms creates efficiencies but the resulting interdependencies also create risk. As with airline baggage handling across multiple airlines, the risk of integrated networks is often dictated by the least secure firm.

Simply tracking and managing the flow of work around the globe can be challenging. Once outsourced, work and its associated information quickly flows into the supplier's supplier. The extended enterprise for any product, starting from the customer and reaching back to the smallest supplier can include thousands of firms. Maintaining control over sensitive information in the extended enterprise is daily becoming ever more challenging.

Raytheon learned this lesson last summer when it signed an outsourcing agreement with IBM to manage the development of Raytheon's SAP implementation. When IBM indicated that it planned to use Indian subcontractors to keep costs low, executives at Raytheon quickly realized that they had a problem. Complying with US regulations and ensuring that sensitive aircraft design data was not vulnerable would not be easy. With work of all types being outsourced, from payroll management to patient billing, questions about privacy and data security arise faster then the answers.

You need not be a defense contractor or a hospital to face a multitude of security and privacy issues. Deleting another handful of potentially virus-infected emails from your inbox has become as routine as wiping your feet on the entry mat on your way into the office each morning - all part of the ritual of starting another business day. It is all too easy to see these small security lapses as nothing more than a nuisance of working in the Internet age. Yet, like those who manage worker safety or quality control know, small failures often precede much more devastating outcomes. What might be cuts and bruises today can be a fatality tomorrow. And the analogies between information security and safety/quality management don't end here. Many lessons for improving security can be adapted from playbook of the quality movement.

What Can Be Done?

Those hoping that technology will solve our security problems will be disappointed. Even firms who are in the business of selling technology solutions are quick to admit that technology alone will not provide security. At a recent summit, hosted by Tuck's Center for Digital Strategies and Cisco Systems, CIOs from diverse industries shared successes and frustrations in managing security. Across the group, there was strong agreement that information security is first and foremost a management problem. Key to our discussion on successful security management was culture, education, and effective risk measurement.

It is so tempting to think that IT security is the responsibility of information technology group. Nothing could be further from the truth. During the quality revolution, the firms that found quality breakthroughs were the ones that realized that quality could be not delivered by the quality control department. It had to be part of the organization's culture. Security, like quality, is everyone's responsibility. Business managers cannot be passive, waiting for protection from the information security police. Rather information chiefs must articulate the risks, like any risk faced by the business, and as a team, executives must balance the risks. Brad Boston, Cisco's CIO described how his organization moved from a traffic cop that simply said yes or no to business manager requests to one that helped them make good decisions. "Our job is to identify the risk. The threat of that risk actually occurring, the probability, and tell what the options are to remediate it. Then a business decision is made about what risks are acceptable and which risks are not." This responsibility resides at every level in the organizations - including the board. One CIO complained to me that when he presents updates to his board on new applications their eyes light up. But when he talks about security, he sees them glaze over. Having board members who understand the risks and can help other members see those risks is key to effective information technology governance and to building a culture of security.

Education throughout the organization is an equally important element of building a culture of security. Like organizations suffering sloppy safety management and its resulting injuries, security requires attention to details throughout the organization. But security education must be targeted and relevant to each individual's responsibility. Simply broadcasting fear does little to improve security. Too many security managers have fallen into the Chicken Little role - crying the 'sky is falling' simply to generate awareness. This approach gains some attention at first, but has little long term effect. For CIOs, gaining and maintaining the confidence of the other C-level executives requires articulating the risks and opportunities in the business context - not simply forecasting doom.

Scott Day, Cargill's Global Information Protection Manager described how the agricultural conglomerate segmented its training. "We've identified what the roles are and the business unit leaders that are in those roles. What does the business manager need to know? He doesn't give a rip about TCP/IP but he needs to know how it affects his decision rights... We've taken that on because we think that's something that will help internalize it into the culture. When everybody knows what it is they are responsible for and how they are going to be held accountable, then they can go get what they need and make sure they are up to speed on it."

Finally, achieving security across the extended enterprise requires carefully scrutinizing both suppliers and customers - continuously evaluating the security risk they pose. For example, educating your customers about the risks and nudging them towards better security practices. For many financial firms, practices like forcing customers to use the most recent versions of web browsers, protect both customer and firm. Sometimes protecting the extended enterprise means not working with firms whose risks outweighs the business benefits. Jim MacDonald, CIO of Fidelity Management and Research described how information security issues have affected his firm's partnering practices: "Working with small technology companies' terrific innovative systems is an issue for us in that we tend to like those companies because they can help us get a competitive advantage. [However] when we go in and do security assessments, [we find] it's usually not been an area of focus for the company and may be lacking somewhat. We've gone slower creating partnerships with those types of companies that we're not happy about because we see the technology, and it's terrific, but they just don't have enough [security] emphasis."

Qualifying suppliers on their IT security risk is as important as measuring their financial risk or there quality. As Mark Hillman, a supply chain executive at General Motors, put it "if you do a lot of outsourcing, you need to go poke at everybody." Poking means assessing the risk and then monitoring it like other risks a supplier may generate. It means ensuring that suppliers' access to your internal systems doesn't comprise your network or that their own security is sufficient to protect shared intellectual property. In the new world of the extended enterprise, security can never be taken for granted.