At Mountain Equipment Co-operative (MEC) of Vancouver, a retailer of outdoor gear, nothing is as important as values. Whether it means designing stores that conserve energy or encouraging employees to take earth-friendly forms of transportation to work, the company strives to conduct itself ethically
and with integrity, while maintaining a high regard for social and environmental responsibility.
“”It’s really just a part of who we are,”” says chief information officer Georgette Parsons, a self-proclaimed lover of the outdoors who’s been with MEC for close to 30 years. “”… It’s been neat to watch as we’ve grown how it’s become more formal and embedded, but those values are really there and in some ways it’s made being the IT manager a lot easier.””
Launched in 1971, when six original members made good on a promise to provide quality wilderness products at the lowest reasonable prices, MEC has grown from a mail order business to include eight stores across Canada, a call centre, a distribution warehouse, and an e-commerce site. Today, it has close to two million members and is considered one of Canada’s largest suppliers of outdoor equipment.
According to Parsons, MEC’s commitment to preserving strong values is key to the ongoing success of IT initiatives, in particular when addressing issues like network security. Members of the co-operative, who pay a one-time fee of $5 to join, are treated like family and protecting their privacy is of paramount importance, she says.
HUNDREDS OF SECURITY PATCHES EVERY MONTH
“”To some extent, that care around member data, employee data and preserving our value system orients us towards taking security seriously, beyond just the risk of loss of information and value to the organization from a business perspective,”” says Parsons.
When MEC decided to expand its presence to a Web storefront in 2000, one of the key concerns was how to offer the same degree of reliability on the Internet that members had come to expect in the stores and over the phone. Recognizing that it didn’t have the in-house resources to meet the 24-hour a day, seven days a week security and availability requirements of an online store, MEC decided to hire Toronto-based Fusepoint Managed Services Inc.
As Fusepoint chief executive officer Robert Offley explains, Fusepoint provides and maintains the underlying security infrastructure for www.mec.ca — including firewall protection, intrusion detection, load balancing between servers, backup and restore capabilities, and virtual private networking for secure remote access — while MEC’s internal IT staff maintains control over the application security layer.
“”They take ownership for the applications and how they interact with their users because that’s their business,”” says Offley. “”But the infrastructure it sits on, from their point of view, is just guarded and they don’t have to worry about it.
“”There’s a human nature element that says, ‘I want to keep control because then I can be in charge of it’, but a lot of people when they first go on-line underestimate the enormity of the challenge,”” he adds. “”We probably deal with 400 to 500 security patches a month. Which ones do you install and which ones don’t you?””
EVALUATING RISK
To protect customer transactions at the application layer, MEC’s IT staff monitors a myriad of applications, including point-of-sale systems at each store location, radio frequency systems in the warehouse and a central backend membership database that resides on the IBM AS/400 platform. All wide-area network (WAN) connectivity is TCP/IP-based and while Parson’s in-house IT staff use various security tools to guard transactions, she says it’s the discipline around the use of that technology that really makes the difference.
“”I keep bringing it back to the risk. I don’t just call it security anymore,”” she says. “”… I think the risk is in the changes in your environment that you’re unaware of, the holes that creep in and the lack of rigour.””
To ensure high security standards, Parsons conducts quarterly infrastructure reviews, including environment change reviews, profile reviews, log reviews, configuration reviews and testing. She also engages Fusepoint’s expertise to conduct security audits, tapping into the expertise of its technicians to uncover network vulnerabilities.
As the on-line business continues to grow — more than 4 million unique visitors logged on to MEC’s e-commerce site last year and Internet orders now account for 50 per cent of remote sales — Parsons expects to continue with a managed services security model.
“”This is very customer-facing so for us it is very important to have a reliable customer facing infrastructure,”” she notes. “”If it was in-house, we’d be spending all of our time there and we wouldn’t have the resources to be looking at other activities.””