Jeffrey Stiles pondered these seemingly straightforward questions. As IT Director of Jagged Peak, Inc., a developer of e-commerce solutions located in the Tampa Bay region of Florida, it would be his responsibility to oversee the implementation of security measures that went beyond the existing user name and password currently required for each user. Recent events suggested that a move towards increased security might be inevitable. In just the past year, highly publicized security failures at the U.S. Department of Defense, major healthcare providers and large companies, such as Sony and JP Morgan Chase, had made executives acutely aware of the adverse consequences of IT system vulnerabilities. In fact, a study of business risk managers conducted in 2014 found that 69% of all businesses had experienced some level of hacking in the previous year.

The nature of Jagged Peak’s business made the security of its systems a particular concern. The company, which had grown rapidly over the years, reporting over $61 million in revenue in 2014, provided its customers with software that supported web-based ordering, fulfillment and logistics activities, built around a philosophy of “buy anywhere, fulfill anywhere, return anywhere”. To support these activities, the company’s Edge platform needed to handle a variety of payment types, including gift cards (a recent target of hackers), as well as sensitive personal identifying information (PII). Compounding the security challenge: each customer ran its own instance of the Edge platform, and managed its own users.

When only a single customer was being considered, the addition of further layers of security to authenticate uses was an eminently solvable problem. A variety of alternative approaches existed, including the use of various biometrics, key fobs that provided codes the user could enter, personalized security questions, and many others. The problem was that where multiple customers were involved, it was much more difficult to form a consensus. One customer might object to biometrics because it users lacked the necessary hardware. Another might object to security keys as being too costly, easily stolen or lost. Personalized questions might be considered too failure-prone by some customers. Furthermore, it was not clear that adding additional layers of authentication would necessarily be the most cost-effective way to reduce vulnerability. Other approaches, such as user training might provide greater value.

Even if Stiles decided to proceed with additional authentication, questions remained. Mandatory or a free/added-cost option? Developed in house or by a third party? Used for internal systems only, customer platforms only, or both? Implementation could not begin until these broad questions were answered.