InformationWeek

"There are significant financial losses that people don't even know about," says Bruce Murphy, managing director at PricewaterhouseCoopers, which advises companies on information security issues.

"I think they are estimating low." In fact, 49% of those surveyed concede they don't know if they were pickpocketed in the past year. Only 28% say they're certain they haven't suffered any monetary loss. If companies improve their detection capabilities via emerging intrusion- detection tools and enhanced measurement criteria, Murphy says, they will become more aware of the losses they're incurring already. And while E-commerce is galloping ahead, he expects the incidence and amounts of financial damages to surge upward, too.

Yet there are effective strategies to consider. Some IT managers are going to considerable lengths to measure the success of their security policies. McKesson Corp., a pharmaceutical distributor, has beefed up its policy and installed double firewalls to provide a secure area where a drugstore chain can have access to information about its accounts. Intralinks, a financial services firm, asks banks on its extranet to adjust their security procedures so that each adopts the highest common denominator. And at VHA Inc., a group of health-care providers and suppliers, IT executives are rethinking their approach to security after building an extranet.

Other companies are doing more encryption and rolling out awareness campaigns to educate employees about information security. Above all, they're making security a priority at the earliest possible stages of new projects.

Early And Often
In the world of information security, proactive measures are generally considered the most cost-effective, too. McKesson makes an extranet available to a few corporate managers at Rite Aid Corp., the pharmacy chain based in Camp Hill, Pa. These managers will be able to go behind the first of McKesson's two firewalls to view orders and track information about inventories and past purchases by Rite Aid. McKesson's internal systems are guarded behind the second firewall. Before launching the extranet, McKesson began using Internet technologies to sell medications to the Department of Defense in Asia, an arrangement that compelled the distributor to implement a double firewall scheme.

"At the very first stage, security was considered," says McKesson CIO Carmine Villani. "We think about security more as a core value or function rather than a bolt-on." In the past few years, Villani says, McKesson has spent more than $500,000 on various security measures, including secure identification cards with constantly changing digital codes for all employees, and double firewalls to separate the secure servers where the company keeps customer information and its own internal systems.

Much of that investment initially was made for the Defense Department extranet and represented a 15% to 20% "security premium" for that project. But now that those costs have been amortized over the Rite Aid project, too, Villani says the additional security costs for both extranets have dropped to less than 5% of overall expenditures. Business-side executives have never vetoed such information security spending because they realize it comes with the virtual terrain. "The reason people have problems is they are not making the investments that can prevent them," Villani says.

Proactive thinking about information security doesn't just apply to the Internet. "It's much cheaper to do security up front as you are designing and implementing an ERP system than it is to go back and retrofit something," says Mark Lobel, a security consultant at PricewaterhouseCoopers. Adding security in the design phase of an ERP deployment might add 5% to 10% to the overall project cost.

Though many organizations balk at paying a premium for information security, those that have had to revise systems later on probably wouldn't make the same mistake twice. A major financial company, for example, was about to deploy a business-to-business E-commerce application for settling big securities trades. Late in the development process, the firm hired Cambridge Technology Partners to advise them on security. On Cambridge's advice, the firm moved from the Windows NT platform to Unix because of its perceived security advantages, but the move caused enormous cost overruns. "The CIO had to go back to the board of directors with hat in hand," Cambridge VP Paul Kelly says. "That's not a good situation to be in."

continued...page 3, 4
return to page 1

See sidebar Software Helps Companies Control Web Access


Back to This Week's Issue

Send Us Your Feedback

Top of the Page

CAREER CENTER

Ready to take that job and shove it?

Open | Close

SEARCH

Function:
Information Technology Engineering

Keyword(s):

State: