Metallect CEO Guy Hoffman on Risk Management

For technology dependent companies, risk comes in many forms. While the traditional information security risks are often the first that spring to mind, businesses with extensive collections of software face additional risks, especially when those applications become numerous.

In an exclusive interview with the E-Commerce Times, Guy Hoffman, chief executive officer of Plano, Texas-based Metallect, said many enterprises have accumulated hundreds of different applications as they’ve grown. According to Metallect’s research, the average enterprise has between 600 and 1,000 different applications in use. Many are key business-critical or customer-facing applications, and many have release or update cycles measured in weeks.

Add in several cycles of mergers and acquisitions, which often add to the number of applications in use, and multiply the number of connections and possible conflicts among various applications, and it’s easy to see how conflict among those applications is likely.

For many enterprises, the most common way to get a handle on how applications were set up, what tasks various software performed and what might happen to those applications when changes are made was to perform lengthy and costly manual audits.

Hoffman said Metallect’s IQ Server can automate that process, dramatically reducing the time it takes to map out applications, shortening the time it takes to add new features without causing unintended consequences and generally reducing the amount of time an IT department has to spend managing and maintaining applications.

Novel Approach

Metallect is gaining traction, but is still considered a novel approach to a growing problem, Hoffman said. “It’s still something of a purple cow,” he added.

That is changing rapidly, however, with Metallect gaining strong traction in the financial services and related industries as well as in retail and e-commerce.

Hoffman discussed with the E-Commerce Times Metallect’s approach and its market prospects, as well the overall issue of risk management and how automating previously manual processes can greatly simplify the life of a CIO.

E-Commerce Times: Tell us a bit about Metallect and how you are addressing this issue of risk management.

Guy Hoffman: What we do is help companies minimize risk and reduce cycle time. For us, application change management falls into three buckets — maintaining and extending business critical applications, adopting new applications and application change management, which includes compliance and IT risk management. What all three have in common is that you have to understand what your existing application logic looks like in order to figure out the various dependencies and risks associated with making modifications to any given application. Companies have mapped businesses processes within applications.

For instance, an e-commerce business process might be converting an order to cash. But that business process consists of multiple business services, from calculating tax to generating an invoice to confirming inventory — each business service is done by a different logic. The IQ Server helps map business services to their underlying logic, so you can rapidly see and understand upstream and downstream processes. Now, when you go to make a change, you are able to minimize the risk of unintended consequences.

ECT: You say this situation often exists in e-commerce companies. Why?

Hoffman: There are a couple risks that exist there in particular. First is the race among sites to add functionality and services. Whether I’m an insurance quote site or a business to consumer merchant or a business-to-business site, the day I add a new feature or function to my site, all the competitors are forced to race to add that same feature or something similar. In the race to do that, you can run into unintended consequences — a new application makes an old feature not work, for instance. The third reason is the phenomenon of disappearing features and the brand erosion it can cause. If my customer shows up and finds a new feature and then I have to take it down because there was a conflict and the user returns and finds the feature is not there that was before, that’s not going to reflect well on a company.

ECT: There are also more and more compliance issues with Internet sites in terms of data security, right?

Hoffman: At the end of the day, compliance is about protecting certain information, such as credit card numbers or personally identifying information. At the end of the day, companies have inordinate challenges in understanding all of the logic that dictates how that information is accessible.

ECT: What impact does the greater adoption of Web services have on this issue of risk?

Hoffman: The whole adoption of service oriented architecture is another catalyst for our customers to seek us out. A lot of companies find they had tremendous duplication of that logic underneath applications, that their applications were created in a bubble. It can cause a great deal of confusion.

ECT: That confusion poses its own risks, but is it possible to quantify the cost of those risks and that confusion?

Hoffman: We know that labor represents about 80 percent of IT budgets and 70 to 80 percent of IT costs are associated with maintenance of networks and applications alone. If you want to add new features and capabilities, you can end up with a tremendous request backlog. Our solution allows people to do more with less while at the same time still mitigating the risks.

There is the risk of missing a delivery date for an enhancement feature request. There’s also the very big risk of unintended consequences, when something added breaks something else already in place. That encompasses that notion of brand erosion again. My customers or my business partners lose confidence in my brand when things go wrong. For example, we recently ordered three servers and two notebooks from a major manufacturer of computers. They lost the order and they were separate orders. It was a technical problem, not human error. Needless to say, we didn’t replace the lost orders with them. They lost not only that business but they lost a customer for life. That’s real risk. The bottom line is that something had to change in their system, because it’s a pure electronic commerce system.

ECT: Do you consider compliance to be a form of risk?

Hoffman: Let’s say I have a corporate agreement with a provider. If we had a service level agreement in place and I had a malfunction like that, it would have breached it. Or maybe in making a change, I open up something that creates visibility into confidential information, such as a Tax ID number or credit card numbers. The way that often happens is that it could be by changing something that you don’t even know is directly related, but something downstream two or three hops away. One of our customers acquired a company and learned by using our solution that all of the credit card information that was being sent was not being encrypted. Needless to say, that was a big “uh-oh” moment for the CFO. This was a publicly traded company so they were subject to SOX (Sarbanes-Oxley) and when they made the acquisition, they somehow missed that. In order to fix that, you need a way to rapidly understand every place where confidential information can be accessed from.

ECT: Give us a sense of how IQ Server works. It sounds as if it essentially indexes source code information much like an enterprise search appliance does with other information.

Hoffman: We’ve purposefully architected our solution to be something very non-invasive. People will tell you that the cost of acquiring software is often dwarfed by the cost of integrating and implementing it. Ours is set up like a search engine and you point it to where your source code is stored. It interfaces directly with the systems that store the code and it executes discovery without any risks or latency to the production system. It repeats the process daily, weekly or monthly, depending upon how it is set up, so you always have a current snapshot. The difference with an enterprise search is that we’re also working with semantic or conceptual search. So the bad news might be that when you’re looking for where all social security numbers are accessible, it’s not always called SS number in the code. It could be a range of different descriptions and abbreviations. Beyond that, if an enterprise search could find all those instances, it couldn’t draw you a map of everything that touches it. It’s like not only searching for a Web site but also saying you want to see every other Web site that links to it and how it’s connected.

ECT: What is the reaction of customers when they start to see these maps and connections?

Hoffman: It’s tremendously eye-opening. Ours is still a fairly novel capability and as we talk to companies, there is a bit of a wow factor. It’s incredible the spider web of tendencies that exist in the software sprawl of corporate America. It’s been known intuitively because we’ve been hearing from companies that every time they touch an application, something else breaks, but the only way to know before today was after it was broken.

ECT: So your solution takes the place of manual audits. Is the value proposition an easy one to make?

Hoffman: There are really three problems with manual audits — they are extremely time-consuming, extremely error-prone and they are outdated the moment they’re completed. Meanwhile, the network is doing builds and changes daily, so information is very quickly becoming no longer relevant. In addition, compliance audits have always been seen as things that suck the living resources out of an enterprise. With our solution, they can print two reports, here’s what the system looked like last time we did this update and here’s what it looks like today. And here’s everything that changed in between and the impacts of those changes.