Johannesburg, 22 Jul 2003
As business becomes more digital and supply chain relationships more collaborative and interdependent, so security technology becomes an enabler of business rather than a cost of doing business.
So says IBM SA`s IT security consultant, Alkesh Patel. "We`re moving into an e-business on demand era in which companies must be able to respond flexibly and quickly to any market opportunity or threat.
"That means having a security infrastructure that allows you to bring on new revenue streams easily without compromising the trust with which customers, suppliers and business partners will entrust their data to you.
"So, you must map your security to your strategic business objectives. Otherwise, your security spending will not deliver business results."
Studies show that 30% of all security expenditure is incorrectly applied. They also show that 52% of e-business initiatives are abandoned because of inadequately planned security.
That`s because companies tend to see security technology as a grudge purchase; "just another insurance policy," says Patel. "But even at that primitive level, your security investment should be tailored to your particular business needs."
There are over 130 security controls that could be applied to a business, but no company needs them all on day one. "The ideal is to apply best practice to specific business initiatives, take an 18-month view, and then develop your controls as your business initiatives grow."
IBM has identified five levels of security, based on the depth of supply chain collaboration required and therefore the depth of trust required. As Patel says, the value chain is fast becoming the trust chain.
Security level one applies when a business has no external connections or integration with partners, suppliers or customers. Security technology in this situation should help the business with access control and reducing administrative overheads.
Level two applies where electronic transactions with selected trusted suppliers or customers take place. There is a need to protect partners` data and vice versa, and restrict competitor access to data. Key security functions here are access management, threat management and intrusion detection - all guided by defined security polices and standards.
IBM calls level three security `value chain visibility` - when businesses integrate entire value chains to provide automated service to customers. For instance, currently in the insurance industry a customer first talks to an agent, who then involves an underwriter who captures the customer`s details and provide quotes. With level three security, the customer would simply enter her details on an agent`s Web site. They would be automatically forwarded to the underwriter`s system, which would automatically process and return the quotes to the customer.
In this scenario, privacy is key. The business will require a mature security management organisation. Security solutions would include identity management and rules-based security policies - across the value chain.
Security level four covers an industry-centric value web, protecting integration of data across entire industries. An example would be automation between banks, the automotive industry and the short-term insurance industry of all the processes their mutual customers go through to select, order and finance a vehicle.
Crucial security technologies here would be pervasive commerce management, federated identification and risk management.
Security level five takes industry collaboration to a visionary future, where most basic commercial functions will be commonly accessible to customers from any device. In that scenario, cross-industry integration is so deep and pervasive that intelligent systems, not designed yet, will be the order of the day.
At each level you leverage the investment from the previous level and plan for the next level.
"The point is to put in place now the kind of security infrastructure that will enable you to easily participate in that future world of e-business on demand," says Patel.
Share