The View From the CIO's Office | asianculturalfestival.org

By MICHAEL TOTTY

Chief information officers constantly have to cope with the difficulties posed by emerging new technologies, along with the ever-present security problems that have come with the computer age.

More in Leadership in IT

CIO Journal

CIO Journal
aims to be the single destination for time-pressed, business-minded corporate technology professionals to find the news and analysis they need to perform at their peak.

To see how they?re dealing with these issues, both old and new, The Wall Street Journal?s Michael Totty recently moderated an email discussion among three leading CIOs:

D. Michael Bennett is senior vice president of information management and CIO at defense, aerospace and security giant BAE Systems Inc.

Steve Randich is managing director and co-CIO at Citigroup Inc.

He is also co-CIO and global head of technology for Citigroup?s Institutional Clients Group.

Wayne Shurts is executive vice president and CIO at food retailer and wholesaler Supervalu Inc.

Here are edited excerpts of their discussion.

The Hot Issues

WALL STREET JOURNAL: What technologies or technology issues have emerged or grown in importance in the past year?

Amy Fletcher

STEVE RANDICH: ?A challenge is the bet we are making on Apple.?

MR. RANDICH: The digital wallet is one. It is becoming apparent that mobile devices will increasingly replace cash and plastic cards as a means of consumer and business-to-business payments and money transfers. This obviously has significant implications for banks, particularly in emerging-market countries where more people have phones than checking accounts and debit cards.

Mobile computing is another big change. More and more of our business applications are moving from a traditional Web format to mobile apps. This presents new challenges in areas of user experience and information security.

Cyberthreats also have grown in importance. Increasingly frequent and sophisticated attacks on our Web applications (phishing) and infrastructure (denial-of-service attacks) have caused us to focus more time and investment to defend against them.

BAE Systems

MICHAEL BENNETT: ?My internal customers demand more.?

MR. BENNETT: Three related trends in information management are combining to create a perfect storm for information risk management: (1) the blurring of the lines between business and personal use?both increasingly supported by the same devices; (2) the invasion of security-indifferent consumer devices into the workplace; and (3) the rising demand for more IT support, with less specificity around requirements and a greater demand for lower IT costs.

More mobile users introduce other problems. There is an increasing expectation that information be available from anywhere on any device. Adding to the challenge is the fact that the new generation of mobile devices (iPads in particular) are consumer devices, lacking in enterprise manageability, and are optimized for seamless connectivity to the cloud?good for individual users; challenging for enterprise security.

Additionally, there is a constant stream of new devices and versions, each with its own security quirks. The tools to secure these new devices always lag behind the new releases, forcing the enterprise to either accept new devices before they can be fully secured, or lag behind in adoption of new technology.

While there are always plenty of things to worry about, this could be the year that attacks on mobile devices finally present a significant threat to corporations.

Protection for phones and tablets lags far behind the standard we enjoy for laptops, but the smartphone and tablet of today is just as connected to corporate networks as traditional devices?just far more vulnerable. The fact that there?s little control over the applications users can install on a mobile device makes them an easy target to exploit, and the constant movement between home and work networks creates unwanted access possibilities.

Finally, the marketplace in our industry has become increasingly cost sensitive. And there is an even greater need to be competitive regarding speed, agility and flexibility. Thus my internal customers demand more from their IT systems and cannot afford to pay more.

It is a constant challenge to balance priorities and demand to meet essential business requirements. Business engagement is critical yet not always easy to make happen.

SureValu

WAYNE SHURTS: ?You have to integrate all the security tools.?

MR. SHURTS: Increased business focus and speed of delivery have certainly grown in importance over the last year. We operate in a very competitive environment in a slow economy, and this has put increased pressure on delivering solutions that will truly help the business in a fast time frame.

Every day we are working hard at becoming more intensely business focused and faster. This involves changing processes, methodologies, engagement models and attitudes.

We live in a world where developments like consumer technology and the cloud enable the creation of innovative technologies that can be deployed fast. We need to make sure we are learning and harnessing these developments for business and competitive advantage.

Inside and Outside Threats

WSJ: You talk about different kinds of security threats: those posed by outside hackers and those posed by the actions of your own employees. Is one a bigger problem than the other, and if so, which one? And what?s the best way you?ve found to deal with the twin problems of security?

MR. BENNETT: Of the two, our biggest challenge is making sure our employees are properly trained to avoid falling victim to a clever outside threat. A cleverly worded and structured phishing email can play havoc in a network if an employee is tricked into opening an attachment that contains malware.

It requires focused and frequent awareness training to ensure our employees are in the best position to be aware of the many ways our networks are attacked.

WSJ: Can you share a tip on how to do that?

MR. BENNETT: We do monthly training via short cartoons sent to each employee by email, to remind them of the various ways network attacks occur and what they should do to avoid being victims of such attacks.

MR. SHURTS: We need to protect critical intellectual property that is continuously being created and moved throughout our environment.

Because security bridges all areas of IT and there is no single enterprise-security company that covers all requirements or areas, you have to integrate all the security tools and controls together.

The last area is how you make very complicated security controls employee-friendly, so that they understand what to do. We are moving security awareness from an event (security awareness week, etc.) into continuous learning. We are at the beginning of this strategy.

MR. BENNETT: It?s a challenge to ensure that the variety of devices that employees want to use are compatible with an ever-evolving infrastructure and are of an enterprise nature.

Most mobile devices are designed for personal use and don?t necessarily scale or are incompatible with enterprise-level networks. We need to ensure the devices fit the network they?re using before allowing them access to the network.

As the workplace expands and mobile devices become increasingly capable, more intellectual property will be contained outside the corporate boundaries.

This will eventually force companies to adopt some type of virtual-desktop infrastructure or remote display technology, where the data is protected and isolated from direct user/device contact, but served by a solution that allows users to interact with data after they have been authorized. This will allow users much more freedom to use the latest technology, because our security won?t depend on trusting the end points.

MR. RANDICH: At Citi, we only support IOS devices today (Apple iPhone and iPad) so that we can limit the complexity due to device proliferation. For external customers (in our Institutional Clients Group, rather than consumers), generally only IOS devices as well, for the same reason.

A challenge for Citi here is the bet we are making on Apple. But the bigger challenge on mobile devices is their sheer numbers.

World-wide, Web-enabled mobile devices outnumber PCs and laptops by more than 10 times. So it is a big understatement to say that customers accessing your sites are increasingly going to want to do it on their mobile devices. Yet, the look and feel and functionality offerings on mobile devices is completely different than traditional browsers, requiring a very different end-user design.

Mr. Totty is a news editor for The Journal Report in San Francisco. He can be reached at michael.totty@wsj.com.

A version of this article appeared April 2, 2012, on page R8 in some U.S. editions of The Wall Street Journal, with the headline: The View From the CIO?s Office.

grand canyon skywalk tonga pid corned beef hash the walking dead season 2 finale born free walking dead finale