¶ … Optimal IT Security Solution for Zappos Established in 1999, Zappos.com, operated and maintained by Zappos IP, Inc. (hereinafter alternatively "Zappos" or "the company"), has emerged in recent years as one of the leading providers of online apparel and footwear sales (Zappos media kit, 2014). The company has achieved its success through a combination of top-notch customer service, innovative marketing and order fulfillment practices as well as providing its customers with an enormous array of selections. In fact, at present, Zappos.com features millions of products from more than one thousand shoe and clothing brands (Zappos media kit, 2014). For 6 years running, Zappos.com has also been designated as one of the Fortune 100's Best Companies to Work For (Zappos media kit, 2014). Moreover, Zappos.com has been rated as "Elite" by STELLA Service and has been designated one of just 40 J.D. Power's Customer Service Champions in the United States in 2011 (Zappos media kit, 2014). This paper provides an analysis, evaluation and synthesis of the best solution for the current information technology security issues at Zappos. A summary of the research and important findings concerning these information security issues are provided in the conclusion.

Review and Analysis

Statement of the problem

Companies that use a Web site for their central business hub for integrated marketing must provide a comprehensive approach to customer service (Cusick, 2009). Irrespective of the type of platforms used for customer interactions, the overarching objective is to develop a positive rapport with customers to build loyalty and repeat business (Cusick, 2009). According to Cusick, "Zappos understands that -- Web company or not -- the true customer experience is the cumulative effect of all interactions and communications on the customer's perception of the company" (2009, p. 122).

While the company has managed to deliver the high quality of customer service that is needed to build and sustain a successful enterprise, Zappos has experienced some significant information technology security issues in recent months, some of which are still in place. For instance, on the company's Web site page, "Protecting Your Personal Information," it boasts that personal customer information is thoroughly protected by Trustwave. In this regard, Zappos' Web site encourages visitors to "Click on the Trustwave Trusted Commerce Seal for details regarding the Trustwave compliance and security services provided to Zappos. You can also find verification of this certificate on some Zappos.com secure pages, like our checkout and billing pages" (Protecting your personal information, 2015, para. 4). When visitors click on the Trustwave Trusted Commercial Seal, though, the following message appears:

Trustwave does not recognize this organization. Trustwave Holdings, Inc. makes no representation or warranty as to whether systems are secure from either an internal or external attack or whether cardholder data is at risk of being compromised. Trustwave Holdings, Inc. makes no representations or warranties regarding this company's business activities or operations (Trustwave recognition, 2015, para 1)

An email query concerning the above directed to the customer service department at Zappos remained unanswered at the time of this writing. Despite this incongruence, Zappos continues to emphasize the protections afforded to its customers by the Trustwave service. For instance, the company's Web site enthuses, "While on one of these pages, simply click on the key or lock image in the bottom bar of your browser window. A window will appear with our site security information" (Protecting your personal information, 2015, para. 3). Notwithstanding these assurances, a visit to the company's checkout page at https://secure-www.zappos.com/cart reveals that no such key or lock image appears in the bottom bar of the browser window.

There were some other inconsistencies identified in the company's information technology security systems. For example, the company states that its servers are protected by secure firewalls that provide complete protection for its customers. In this regard, Zappos maintains that, "You're absolutely safe while you shop. SSL Technology, Trustwave, and Industry Standard Firewalls all work together to ensure your privacy and to assist in protecting your personal data" (Protecting your personal information, 2015, para. 4). As noted above, not only is the company's Trustwave protection disabled, Zappos also reported on October 15, 2014 that it has experienced other problems in its IT security systems. According to a Zappos technician, "Due to the SSL vulnerability that was announced [October 14, 2014], Zappos has taken proactive steps to disable SSLv3/v2. SSL or secure sockets layer provides encryption to prevent your information from being intercepted in between you and a service provider, such as Zappos" (Zappos technology,...

2).
Rather than fixing the problem outright, the company simply instructs its customers to make changes on their own: "If you are using an older browser to connect to our site, you will be impacted by this change and should upgrade to a more secure version" (Zappos technology, 2014, para. 3). Tellingly, Zappos' customers would not know this unless they took the time and effort to explore the company's technology Web site pages, and even then not everything works as it is intended. Likewise, the company states that it does not require customers to provide the 3-digit security code off the back of their credit cards as virtually every other online transaction requires because it is not required to complete the transaction; however, the company also emphasizes that it has a cadre of employees reviewing these transactions for fraudulent activities and this policy may change in the future (Protecting your personal information, 2015). The company also continues to experience problems with the manner in which its secure pages are transmitted over different browsers and some customers may not be fully protected by the company's IT security systems until Zappos identifies the problem and implements corrective actions (Protecting your personal information, 2015).

Finally, a post by the company's information security officer (ZISO) entitled "Heartbleed" (April 17, 2014) reported a major security issue that affects the company's OpenSSL applications. According to the ZISO, a flaw in the company's OpenSSL enables hackers and other perpetrators to defeat its encryption technologies, revealing usernames, passwords, and other sensitive customer information. Notwithstanding assurances from the company that the problem has been resolved, the ZISO concedes that many customers still report having problems with the company's IT security systems.

Individual information systems and technology organizational success factor and their relationship to IT Security

Individual information systems and technology (IST) organizational success factors for Zappo directly relate to the company's Web site hub and the thousands of brands it features. The emerging model being used by Zappos is focused on using its human capital resources to their maximum advantage in general and with respect to frontline customer service in particular. Indeed, the company proudly notes that it holds the record for a 10-hour-plus customer call (Zappos media kit, 2014). The critical success factors for the company's IT security systems include the extent to which (a) information provides a vehicle for expressing, sharing and using knowledge, and (b) the tools of information systems and technology are the enablers of business processes and networks among employees as well as with customers, suppliers and partners (Marchand, 2000, p. 137).

As a critical success factor, the company's customer service is inextricably interrelated to the company's IT security systems as well (Cusick, 2009). Rather than using an interactive voice response (IVR) system, Zappos employs live humans beings who are intensively trained before being allowed to deal with customers (Cusick, 2009). In fact, trainees are paid during their training and even offered a $2,000 bonus to not take the job after completing training, a practice that seems to pay off by providing the company with employees who are truly committed to the company's vision and ideals (Vincent, 2012). In this regard, Vincent advises that, "Only the employees who truly care about customers and service stay the course. They're the ones who talk to customers over the phone or connect with them via e-mail" (2012, p. 37). Furthermore, customer service representatives are at Zappos empowered to take whatever steps are necessary to satisfy customers, including taking their time with their orders and even sending them replacement shoes in the event of a quality issue -- and the company does not require the return of the defective shoes. As Cusick emphasizes, "Zappos trusts you. Let me repeat that. Zappos trusts you. Imagine how that makes you feel as a customer. It's a powerful sentiment and emotion that connects with people at a very deep level" (2009, p. 122). This powerful sentiment, though, can easily be disrupted by a flaw in the company's IT security systems, and these issues are discussed further below.

The best solution

As noted above, there are a number of IT security issues facing the company at present, with the Trustwave security protections and the Heartbleed Bug being among the most serious. Although the Trustwave issue remains unresolved, there have been some steps taken to address the Heartbleed Bug issue that remains a serious vulnerability in the widely used OpenSSL cryptographic software library (The heartbleed bug, 2014). According to the vendors, "This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.…