John Miles knew he had problems. For eight straight quarters, security auditors had pegged the network at his employer, global real estate and construction giant Lend Lease Corp., as vulnerable to attack.
So it was no great surprise when, in the summer of 2003, Lend Lease became one of thousands of enterprises worldwide to have its Windows-based systems hammered by the Blaster worm.
For Miles, senior vice president of global systems and services for Lend Lease, in Millers Point, Australia, the damage was more than simple confirmation of weaknesses in his system, which covers approximately 10,000 users at more than 500 sites in 44 countries. It was an indication that it was time to start over.
"We had an elaborate anti-virus protection program," said Miles. "But when you have worm activity, it really changes the dynamics." The worm prompted big changes at Lend Lease, but those changes meant big challenges as well.
The long months of Blaster cleanup spawned Lend Leases Project HighRise, an effort to revamp the companys approach to overall security and get a handle on the daunting tasks of security event management, patching, updating and remediation.
Founded as Civil & Civic in 1951, Lend Lease offers a range of property services—from financing to maintenance—around the globe. The diverse needs of each business within the company create a difficult management environment for Lend Leases IT staff, which must manage a wide range of software maintenance processes.
Apart from Lend Leases being a global organization, its operations have disparate security requirements as well. Financial services demand redundancy and impermeability, while Lend Leases construction operations require users inside and outside the company to access networks from far-flung construction sites.
"We manage a multitude of subcontractors," said Miles, who headed the HighRise team. When working with architects and developers, he said, "We have to expose the system to a lot of people. People arent going to want to stop working on-site to read security policies."
The dispersed nature of Lend Leases systems made fixing vulnerabilities both time-consuming and labor-intensive. The IT department, meanwhile, was being told to trim its budget. Over the past two years, Lend Lease has cut IT staff by nearly half.
With IT already near minimum staffing levels when the project began, a goal in crafting HighRise was to imagine what a smaller team might accomplish with better technology and different roles, said Miles.
"More than making people redundant," said Miles, "our CIO wanted to [improve] the work force and put the right people in the right jobs. If youre a field tech at a site, you really dont want to spend your time upgrading machines manually. We were trying to eliminate many of the mundane tasks they had to do in the past."
Lend Leases IT staff got to work in earnest in September, spending six weeks researching the project—Miles team considered outsourcing the entire operation but decided the benefits of keeping its systems in-house outweighed the potential savings from outsourcing—and eventually distributing requests for proposals in October.
Early discussions with systems integrators, meanwhile, persuaded Lend Lease to go it alone. Cost concerns were part of that decision, but the company also found that some consultants didnt believe the project could be completed in the time required. Furthermore, Lend Lease didnt have the time or money for a complex, highly customized solution.
"One of our fundamental strategies was that we wanted to partner with vendors who could deliver," said Miles. "It was a true test of the vendors [to see] who had services and products that would work right out of the box."
With that in mind, Lend Lease put its prospective vendors through rigorous pilot exercises. Identity management company M-Tech Information Technology Inc., for example, was pitted against a competitor in a test requiring it to integrate its solution with others—including homegrown Lend Lease applications—while being measured for speed.
That played to M-Techs strengths, according to Robert Miller, vice president of marketing at the Calgary, Alberta, company. "We try to encourage people to invite vendors to do pilot proof of concepts," Miller said. "That works well for us."
M-Tech beat its competition to the punch even without sending a person to Lend Leases site, as its competition did. Lend Lease was suitably impressed, and M-Tech got the job. "They demonstrated how they could get their solution working quickly," Lend Leases Miles said.
All six vendors—M-Tech; ManageSoft Corp., for security patch and inventory management; Microsoft Corp., for migration to Windows 2000 Active Directory; NetIQ Corp., for security management and administration; BMC Software Inc., for its Remedy help desk, asset and change management software; and Oracle Corp., for its 10g portal solution—were hired by March, at which point Lend Lease convened a vendor summit.
All the vendors sat down with the Lend Lease project team to go through HighRise, lay out the requirements and discuss interdependencies. This gave everyone the opportunity to build relationships before work began.
As a result, Miles said, "We knew what people could deliver and what they couldnt. We knew what the timelines were going to be. And everyone had a common set of criteria and expectations. From that point on, all the vendors were on the same page."
In addition to Miles, Project HighRise includes several Lend Lease IT administrators, such as Assistant Project Director Tom Peck; NetIQ Project Manager Brian Hipp; Remedy Project Manager Mark Timbs; ManageSoft Project Manager Peter van der Reyden; and M-Tech Project Manager John Berlo.
Lend Lease is already seeing concrete results from HighRise.
The companys network is faster, with fewer outages and less downtime, boosting productivity. Its systems, security and service management processes are now accessed through Remedy systems, simplifying monitoring and response.
Miles estimated that response time to systems and security events improved 30 percent because the network provides better intelligence—and Lend Leases IT department reports fewer such events, fewer security audit findings and an improved ability to predict trouble.
The identity management solution, meanwhile, has made it easier for people to access needed applications. Password management is a good target for IT managers looking for a return on investment, said Miller, because of the time required to reset passwords if theyre forgotten—not to mention the security risk posed by people writing them down to avoid forgetting them and the productivity lost waiting for IT help.
Lend Lease users call the help desk approximately 90,000 times each year, the company estimates. Before HighRise, however, as many as one-third of those calls came from users who had misplaced or forgotten their passwords. With the company estimating the cost of handling and responding to such calls at $30 each, Lend Lease believes it can eliminate more than half of them and deliver an annual savings of as much as $500,000. (These figures fall in the range experienced by most M-Tech customers, according to Miller.)
Broadly, IT support is now simpler at Lend Lease, in part because security upgrades and patches can be distributed remotely. Doing that manually requires about 1,200 man-hours of work for each patch, according to Miles, and the process is done as many as 20 times each year. "By automating that," he said, "you can see the savings."
More to the point: Lend Lease estimates the past cost of such operations at as much as $2 million—but the company believes that with automation it can cut the time required by as much as three-quarters, slashing costs.
Finally, Lend Lease is seeing benefits on the staffing side. While IT head count is lower than in recent years, those who remain are more productive and better placed within the organization, according to Miles. Theyre working at a higher level within their own units, while enjoying increased customer interaction, making their roles more strategic.
David P. Marino-Nachison is a free-lance writer in Washington. He can be reached at firstname.lastname@example.org.