Can security be a competitive advantage? Are security and privacy at odds with speed and collaboration? How has Sarbanes-Oxley complicated the security challenge? And how do you balance risk and security? Those are just some of the pressing questions 23 prominent IT executives and academics addressed at a recent day-long roundtable at The Thought Leadership Summit on Digital Strategies, an ongoing series of discussions for Fortune 500 CIOs and executives focusing on the business issues they face and the enabling role of IT.
Participants represented some of the largest and most well-known companies, including Citigroup, Owens-Corning, IBM, General Motors, Hasbro and Cisco Systems. Harvard Business School and Bentley College led the academic group which included Dartmouth College and Tuck School.
"I never want to be in a position that the business wants to do something and I'm constraining it," said Max Ward, vice president of technology at stationery supplier Staples.
There was widespread agreement on that point, but several participants said that sometimes they can't avoid it. IT staffers are often so busy putting out fires, fighting viruses and applying patches that they don't have time to think about ways to make the business function better.
The issue becomes even more complex when you're talking about the extended enterprise. "As we extend the enterprise out to the suppliers, having to deal with security and validating that this company is trusted . . . it's slowing that process down, but we have to do it. There's no way around it," said Doug Schwinn of Hasbro.
John Moore of IBM concurred. "You really want to be able to tie two networks together to have that free flow of information, but if Company A doesn't have the same security standards that your company has, you're really opening up your door to everything that wants to come in."
The emphasis on security also can slow innovation said Jim MacDonald of Fidelity. Fidelity likes to work with small, innovative tech companies that can "help us get a competitive advantage".
Eric Johnson, director of Tuck's Centre for Digital Strategies, said information security today has similar qualities to that of 20 years ago: bolted on not built-in, viewed as an inhibitor of operations and residing in a "special" department. "It must move to being designed in at the start, being an enhancer of operations and internalized throughout the company," he said.
The security advantage
On the question of whether stellar security can be a competitive advantage, most executives took the position that security is a prerequisite for doing business, but not necessarily something a company trumpets in the marketplace.
"Failure in security is what gets noticed. If you're successful, [security is] expected," said Jack Matejka of Eaton.
Hasbro's Ed Kriete took a similar tack. "If you screw it up, there are going to be real consequences, but at this point, it's really a qualifier."
Unfortunately, in today's world, every company is a target and two problems that weigh heavily on IT executives are trying to identify where the threats are coming from and trying to assess and analyze risk.
For this group of IT execs, the fear factor is real. "What I worry about is emerging threats that I don't know about," Fidelity's MacDonald said.
Don Kosanka of Owens Corning has dealt with insecure applications that were written when factories were isolated from the rest of the world and not connected to the supply chain.
For John Cianci of IBM a big issue is protecting servers in IBM's labs. Cisco's Brad Boston faced a similar situation: "We had to isolate all the labs. They were my biggest source of denial-of-service attacks."
Other concerns are employees who connect from home over broadband or who use wireless connections, and employees who mix personal and corporate data on their personally owned BlackBerries and PDAs.
Owens Corning uses a similar process to assess risk for its manufacturing plants, Kosanka said. "When you look at a manufacturing facility, you try to understand the probability of a failure and the impact of that failure. Looking at those two factors, you make decisions about how much you're willing to invest," he said.
Government regulations, particularly the Sarbanes-Oxley Act, are a major headache, according to the IT leaders. They said they were especially bothered by the lack of predictability and uniformity in terms of what is required to meet the regulations and how those regulations are interpreted by auditors.
Hasbro's Schwinn described the process as onerous and complained that it's difficult to get a clear understanding of what the law requires. "The goal line keeps changing," he said.
"We use different" auditors, Cisco's Boston said. "One to tell us how to do it, and the other to test it to do it right."
Boston argued that while recent financial scandals spurred these regulations, "none of these controls will prevent [another] Enron or the next WorldCom, because it has nothing to do with what happened."
For other issues, such as ways to decrease complexity, there are no easy answers. Some panel members said they would like to reduce the number of vendors they deal with, but worry about creating a single point of failure or becoming too dependent on one vendor.
Many spoke about the desire to move off the Microsoft monoculture and spread their risk among multiple platforms, but there was agreement that such a strategy at this point was untried and risky.
Similarly, the IT executives said they struggle with finding metrics to determine whether they are spending too much or too little on security.
Scott Day, global information protection manager at Cargill, said that determining how much you're spending is difficult. "Do you count directory services in your security budget? Do you do ID access in your security budget? In my opinion, there is a wide range of debate. You take all that and blend it together, you get a target for what you think your company needs. You go to your [departments] and stakeholders and say, 'Here's why we're reaching that level and here's what we're doing from a financial standpoint.' Either they're happy with it or they're not," he said.
There are limits to how much you can ask for, Ward said. "We know we need to do things, [but] I am not going to tell our CFO that we need to do something that's going to break the bank."
At the end of the discussion, the executives agreed that security needs of companies will continue to grow but must be implemented in a manner that does not impede core business activities.
Each participant came away with specific areas on which he planned to focus. "I guess the thing I'm left with is thinking about how we could improve the communication that we make as an IT group to our user base," Elliott said.
The summit was co-founded by Cisco and the Centre for Digital Strategies at Dartmouth's Tuck School of Business. John Gallant, president and editorial director of Computerworld's sister publication Network World, moderated the roundtable.