Like a host of companies trying to make "enterprise security" a household word in the business world, Cybersafe Corp. has a whole arsenal of tools and techniques to keep information safe and intruders out.
What might differentiate Cybersafe is a not-so-secret but impossible-to- duplicate weapon: its chief executive officer.
He is Jim Cannavino, a man once in the running to head International Business Machines Corp., and who from 1995 to 1997 was president of Perot Systems Corp., overseeing a 167% rise in annual revenue, to $800 million.
Credentials like that do not come on the market every day-not even in the fast-growing and increasingly high-profile business of providing information security to major banks, other corporations, and government entities.
Cybersafe has fewer than 200 employees and headquarters in the Seattle suburb of Issaquah. Because it is privately held, it does not disclose revenues. They are in double-digit millions.
Mr. Cannavino, chairman and CEO for more than a year, has his sights on $100 million-which, he told Electronic Business magazine early this year, Cybersafe aims to reach in 2001.
That would be 10 years since the company was founded, originally as the Open Computer Security Group of Financial Data Systems Inc. OCSG was spun out and renamed in 1994, and has done a lot of its work in the financial industry.
It is expecting growth there as well.
"If you are in the security space, you have to be interested in the financial industry," Mr. Cannavino, 55, said in a recent interview. "The government and financial sectors were the first to go into this in a big way.
"Our belief is that financial institutions have to do this. They have to participate in transactions taking place outside their four walls. The whole product for them is information."
It took many bankers a while to get the message about what has come to be called enterprise security. Some early adopters may have been discouraged to learn that much of vendors' talk was cheap, and that systems that worked as advertised were hard to come by.
Enterprise security-assurances about such things as data-base integrity, trusted on-line connections with customers, and secure log-ins and dial-up access by employees-consists of a multitude of moving parts.
Mr. Cannavino calls these "mechanisms," and he views them as a poor marketing conception.
"This industry has been based on mechanisms, and we have to get away from that," he said.
He likened "mechanisms" to anti-lock brakes on cars, which, like the data encryption techniques Cybersafe and others sell, are feats of engineering based on complex mathematical calculations.
"Do you know how the algorithms in anti-lock brakes work?" he said. ''All you know is that when you press down on the pedal, the car stops."
Cybersafe has the whole security catalogue at its disposal: public key (and secret key) encryption infrastructures, digital certificate systems, various authentication tokens and smart cards. The company considers itself "agnostic" on technology choices, assembling whatever might be called for, from multiple vendors, to create corporate experiences closer to pressing a brake pedal.
The flagship product "suite" is TrustBroker. Through acquisitions over the last several months that brought needed expertise and extended the company's international reach, Cybersafe added the Defensor communications security system and the Centrax intrusion detection program.
One of the company's recent product innovations, the Virtual Smart Card, is "white hot" in some circles, Mr. Cannavino said. It is a software version of smart cards for companies that want to avoid or spread out the expense of installing card readers on personal computers.
To help customers put it all together, Cybersafe has assembled, and invested heavily in, a professional services organization, now with more than 20 people.
The professional services group is a key to dispelling the lingering skepticism about enterprise security, said Glenda Barnes, who after a 28- year banking career, 10 of them with Bank of America, settled in with Cybersafe as director of financial services marketing.
"Everybody has been saying 'enterprise-wide security' for six years," she said. "But have you seen it?
"We have actually done it-proved it, not just talked about it. You actually have to do it. You have to show that you are supporting it and the client is happy."
Cybersafe cannot disclose very much about how it has done it, for reasons of client confidentiality. It claims to be a principal vendor to some of the largest financial institutions in the world.
One publicly acknowledged satisfied client is Wells Fargo & Co., which made a companywide commitment to data encryption.
Cybersafe literature mentions "a global financial services firm" that used TrustBroker software for a companywide single-sign-on security system. "This customer has tracked more than $10 billion in additional deposits attributed to overall security measures implemented," says Cybersafe's Web site.
For a telecommunications company, Cybersafe security components were part of a process that reduced the enrollment time of cellular customers from days to 15 minutes or less, "providing a dramatic marketing advantage," said the Web description.
Mr. Cannavino conceded that corporate CEOs for the most part have not, at least until recently, had data security on their front burners. He said he wants to engage them in a dialogue about it-in the way he learned to talk technology to businesspeople during his 32 years at IBM.
Among his accomplishments there-he retired as senior vice president for strategy and development-were the formation of IBM's PC company and the alliance with Apple Computer and Motorola that produced the PowerPC.
"If we are successful, we will 'business-qualify' security," Mr. Cannavino said, "just like the business processes that we qualified at IBM."
Mainframe computers, which kept IBM dominant for most of its history, "are not perfect," he said. "But they are business-qualified. They process 85% of the transactions in the world today, and when you need them fixed, you know where to turn."
Business-qualifying would entail some understanding by CEOs of what the threats are, where technology is heading, and how much security money can buy.
"The CEO needs a list of what needs to be done today," Mr. Cannavino said. "He can't be completely secure at today's costs-but he can get to the point where he is not the low-hanging fruit.
"You don't want to be among those who are not learning fast enough to stay ahead of the cyberterrorists," the chief executive added. "There are affordable things you can do so as not to be an easy target."
Cybersafe is banking on Mr. Cannavino's business and technical knowledge and CEO-level rapport to mesh with the company's historical strengths, product innovations, and intellectual assets.
In keeping with its flexibility to client requirements, Cybersafe said it has the only enterprise security offering with both public key and secret key technologies. It was the first to commercialize the secret key option, Kerberos, and from there developed a public key-Kerberos hybrid.
Its engineers and scientists have been influential in standards-setting bodies, including the Internet Engineering Task Force. Ms. Barnes chairs the American National Standards Institute subcommittee on banking standards. Within that effort are six working groups grappling with controversies that do not always generate newspaper headlines but that can define how business will be done in the future.
One debate of interest to Cybersafe is raging now over proposal X9.59, Account Authority Digital Signatures. AADS is a possible alternative to digital certificates and their public key infrastructure, or PKI, hierarchies.
Certificate authorities, or CAs, evolved out of military requirements, and an entire industry has built up around them, with strong government- agency support. But some bankers and their vendors are open to the newer idea, championed by Lynn and Anne Wheeler, a husband-and-wife computer scientist team formerly with IBM and now with First Data Corp.
As a presiding officer, Ms. Barnes is neutral. She said the standards institute's consensus process can get raucous at times, but there is no better way to reach a conclusion that can be widely accepted for the long haul, as happened with magnetic stripes on credit cards or the federal Data Encryption Standard.
Ms. Barnes is "caught in the middle of a tough battle," said Mitchell Grooms, chief executive officer of Secured Information Technology Inc., a California-based data encryption company working to link its technology to AADS.
"She has been through this before," Mr. Grooms said. "I don't think there is anybody more capable of seeing this through to a resolution."
"The process is working the way it is supposed to," Ms. Barnes said.
Unconstrained by neutrality, as the CEO of Cybersafe, Mr. Cannavino is pro-AADS.
"We are deeply immersed in X9.59," he said. "Certificates have a big role to play, but not as big as some people think."
Certificate-based infrastructures were "a great vision," but they came along when "the Internet was not what it is today."
Something different will be required for commerce that is "on-line all the time," Mr. Cannavino said. He sees AADS, a streamlined technique that can be linked directly to account records at financial institutions, as a way to authenticate customers without overburdening server computers with cryptographic operations.
"My personal guess is that 75% of the transactions in the world will be done certificateless with a model like AADS," Mr. Cannavino stated.
He speaks just as boldly about another highly touted advance that has yet to take the banking industry by storm, but that may have an authentication role to play with AADS.
"My first work with smart cards was in the 1980s, when a reader cost $500," he said. "Now (readers) are essentially free when they are built into PCs, and external readers are $3. So a deployment that would have cost $500 times 100,000 seats is now $3 times one-third the locations, because the others will be built in."
The economics may sound compelling, particularly within a corporate network, but the selling of the smart card has been less so. Mr. Cannavino said there were lessons to be learned in Utah and New Jersey, where public opinion was stirred up in opposition to chip-card drivers' licenses.
"Sell it differently," he suggested. "A new mechanism to protect privacy-a smarter drivers' license," or a portable carrier of a data encryption key to authorize access to a network.
"Unless you have an open felony or misdemeanor warrant, the only information available at a traffic stop will be your driving history." Smart cards could gain public approval as a way to "put some boundaries on what people can do with information."
The unexpected-a technological curveball, a political outcry, a damaging computer crime-can always happen, Mr. Cannavino said. "No matter how much of a forward-thinker you are, you are tested every day on your vision."
He said, "The Internet is in its infancy," and over the next 10 years, "things talking to things" will become the norm. Those "conversations" will have to be secure, and formulas for achieving that will have to be hashed out.
"The financial industry is looking for something new," Ms. Barnes said. "They don't have what they need to serve customers" in an interconnected world. "We are still pioneers."
"And the covers on the wagons are relatively new," Mr. Cannavino intoned.
