Tomorrow Begins Today at Net Security Firm

Sue J. Pontius boils down one of today's tough sales challenges to a few simple words.

"This is not about the future," said Ms. Pontius, who labors long Silicon Valley hours to keep her company, Spyrus, in the forefront of the emerging information security business. "This is about the way business is done today."

If she is right, and if banks and the rest of the corporate world take the message to heart, then the tools of the new security trade-smart cards, digital certificates, and public key infrastructures for distributing and managing the data encryption codes-are on their way to becoming as common as locks and keys.

Assuming Spyrus plays those cards right-and it is playing all of them- its name might soon be much more than a conversation piece. (It is short for Secure Papyrus, an invocation of ancient imagery, as if to say that enough future has arrived to put some teeth in Ms. Pontius' present-tense urgings. The company logo has hieroglyphs. Its motto: "Send forth the message, but secure the contents.")

"Without that overlay on what you do today," Spyrus' 40-year-old president and chief executive officer said in a recent interview, "then it will take years to transition. People have to realize that the evolution to digital distribution of information and property rights is well under way, and we have what they need to be ready."

Of course, there are still a lot of ifs to get past. Theories about the need for an advanced means of identification in electronic commerce have yet to be tested. If anything, e-commerce is taking off without waiting for the testing. Smart cards would seem ideal for storing and managing the electronic credentials that authenticate buyers and sellers, perhaps more reliably and effectively than in conventional credit card transactions. But under hard-nosed business analysis, cost-justification seems lacking.

Spyrus is one of a host of mostly small and youngish technology companies trying to justify and demystify, while earning a profit and standing out from the pack. Many have cropped up in San Francisco Bay Area cities like San Jose, where Spyrus started six years ago, and Santa Clara, to which it is in the midst of moving.

Typical of many in the digital security field, Spyrus has federal contracting roots. Ms. Pontius came from Tracor, an electronics and engineering company founded by retired Admiral Bobby Ray Inman. She and her co-founder, Jan Peterson, built Spyrus around some innovations they were working on for compact discs. They viewed CDs as the next papyrus, requiring secure and controlled access by means of digital certificates.

They were a bit off with the CD medium but made a big impact with another hardware device, the Lynks Privacy Card. Spyrus has supplied hundreds of thousands of the metal computer-insert cards for the U.S. government's Fortezza cryptography program. Fortezza cards have also been scaled down into chip card format, called Rosetta, which won Spyrus a big endorsement-and an initial 20,000-card order-from the National Security Agency, announced in April.

Spyrus' smart-card-security experience and close involvement in the bank card industry's Secure Electronic Transaction standard-an acquired company, Terisa Systems, helped write and implement SET, and the Spyrus WebWallet was one of the first certified digital wallets-make the company as ready as any to package chip cards with SET certificates.

"They are well positioned around the smart card," said Scott Loftesness, a veteran of Visa International and First Data Corp. who recently became chief executive officer of Digicash Inc. "I think they will do very well, and in Sue they have a very fine executive."

An aspiring competitor, who asked not to be identified, said Spyrus looks formidable mainly because of its government links. Spyrus used them advantageously in winning electronic postage metering business and a key role in an ambitious, global, United Nations-sponsored e-commerce program, but "things may be different" in pitching to the private sector, the source said.

Ms. Pontius would argue that the government market's hard knocks were ideal preparation for what she sees as the next wave-corporate applications in intranet and extranet security, virtual private networks, digital certificates for customers and traveling workers and telecommuters who dial in to data bases or e-mail.

Just as the Internet began as an obscure government phenomenon before going commercial and, eventually, to the consumer market, so too, the thinking goes, will digital security. Ms. Pontius said 1998 was just the beginning of "the enterprise market."

"We ask, what is enterprise security and how is it defined?" she said. "Today it is a card allowing entry to a building. Combine that with logical access to data and networks, and you begin to migrate and integrate security with information technology, and get operating efficiencies."

The business struggle, whether for market prominence or investment capital, is at once cutthroat and shared, creating a community of what has been called coopetition.

Microsoft and Netscape may hate each other, but Spyrus has worked with both and likes what they are doing in software and browser products to incorporate, and further the cause of, digital certificates. Meanwhile, it is cheering computer-keyboard, set-top box, and hand-held-device manufacturers for beginning to build in smart card readers.

Verisign Inc., a Silicon Valley neighbor, and Entrust Technologies Inc., a Richardson, Tex., spinoff of Northern Telecom of Canada, blazed the certification industry's trail to the initial public offering market this year. Spyrus crosses paths with them and hopes to better a lot of what they do, but "I applaud them," said Ms. Pontius.

"We are out to accelerate the marketplace-we need Entrust and Verisign and more" certificate authorities, Ms. Pontius said. "With multiple products, the best of breed will win. How many public key smart cards are there today? Entrust and Verisign's revenues are minuscule compared to what this industry is going to be."

Those high-profile companies "drive and quicken the marketplace in financial services and for the products we offer," said Tom Dickens, whose title at Spyrus, global operating officer, is meant to underscore that even a 90-employee enterprise needs to think and act in as broadly virtual way as possible.

In that organizational sense, there is nothing conventional about the mind-set at Spyrus, which for the moment is profitable and self-funding, not testing the IPO waters. It also has not relied on venture capital like so many of its peers-"one less pressure for us," Ms. Pontius said. Even so, Spyrus last month came in fourth among the Silicon Valley Fast 50, a listing of hot companies sponsored by Deloitte & Touche and including Cisco Systems and PeopleSoft.

"We are trying to educate people in a different way of doing business," Ms. Pontius said. "We have offices 3,000, 6,000, 10,000 miles apart, but we also know that trust and relationships are still built face-to-face."

"Ultimately, the customers will choose the best turnkey product that meets their needs, and we intend to set the standard for that," said Mr. Dickens, who has been with Spyrus since 1993.

That requires putting together what Kenneth Mohr, the communications director, called a "chain of trust, a powerful way to manage and protect information," from smart cards up through a certificate authority.

Ms. Pontius said that explains why Spyrus went out and bought Terisa in 1997 and, this year, the Australian public key infrastructure vendor Signet Systems and a line of smart card readers from a unit of Oki Electronics of Japan.

These may put Spyrus in competition with Hewlett-Packard Co.'s Verifone unit or Entrust or Gemplus, but Ms. Pontius prefers to view them as components of the essential, full solution. "We have a pretty good idea of where the endgame is," she said, "and that is what we are buying technology companies for."

There remains the task of getting the basic messages across about information security to a market confused about technical standards and unsure of business cases. "These are not early-adopter industries," she said of banking and health care, two Spyrus priorities.

"We need to take care of them today while giving them a migration path," said Mr. Dickens.

There is some hope that system reassessments associated with the year- 2000 software problem might help create such a path, but six years of waiting and hoping leave Ms. Pontius at "the long run" even beyond that. "This is about content-yours, your company's, the entertainment industry's, whatever is deemed to be valuable," she said, ever confident that the education process-eventually-will send that message forth.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER