The past two decades have drastically changed the popular perception of what it means to be an IT professional. Once seen as the defining example of predictability and control, the digital world now appears to many as a chaotic mix of opportunities and threats.
No longer just the invisible stokers of the back-office engines of the enterprise, todays IT architects and managers are on the front lines of strategic initiatives and corporate governance improvements. Theyre also facing the increasingly demanding job of defending enterprise information assets against sophisticated and fast-moving attacks.
Surprisingly, however, the seasoned IT leaders of eWEEKs Corporate Partner Advisory Board see the changes in their duties as more evolution than revolution.
The jobs of evaluating outsourcing as an alternative and/or complementary technology support system, assuring compliance with applicable regulations, and maintaining integrity of operations are not new—although the Corporate Partners said they do find that they must address management expectations that IT departments will do more with less.
On the plus side, Corporate Partners find that todays IT users have a head start on basic skills and a personal sense—as home PC users—of what it takes to keep things up and running.
The role of IT professional is constantly in flux. We wanted to sit down with you to discuss some of your new—or, should we say, newer—responsibilities and the impact they are having on your jobs and companies.
Have any of you felt any direct impact on your resources as a result of having to meet reporting requirements or auditability requirements, such as for the Sarbanes-Oxley Act or the Health Insurance Portability and Accountability Act?
Calabrese: Because of all these new concerns and the new security focus, where “security” is every third word we see, Im shedding the commodity stuff because I just dont have the bandwidth to do a lot of the stuff that I used to.
So the elevated concern for some really complex site-specific and strategic questions like security and data confidentiality and so on are making it necessary for you to offload functions?
Calabrese: Yes. I think its an evolution. There was a time when day-to-day acquisition of hardware and management of licensing and what have you was the new cutting-edge place where we could add value.
So you feel that the level of standards and the level of product performance have reached the point where theres kind of a maturation of what you can do as a technologist? So your opportunity in the organization is more as a CIO type rather than an MIS type?
Calabrese: Well, I think its just a matter of looking at a fundamentally new set of technologies.
Skaff: IT continues to evolve. Its no longer purely a back-office science. A broader skill set is required—still very technical but with business acumen and negotiation and vendor management skills.
Technology has gone mainstream, but IT still finds itself in the role of bridging the knowledge gap and articulating to the rest of the business how technology may best be applied to reap the maximum advantage.
An even balance is developing between technical and business skills. In-depth technical knowledge is still required, but it must now be rounded out with the “softer” business skills. As technology evolves into a more strategic role in a market of diminishing margins, delivering a decisive competitive edge requires not just the knowledge of how to use a tool but when and where to use it.
What IT can and
Do you feel that youre getting the support from IT vendors to achieve the level of performance you need to manage these complex processes and products?
Gunnerson: Partially. I dont think weve seen any magic bullets helping us to manage things without a lot of effort. … One of the reasons is that the environment is changing so quickly. Were moving from security threats that take a month to security threats that take a day. That certainly keeps you up at night.
There are tools becoming available that will help us deal with this—stand-alone appliances that you can buy that help you do intrusion detection and intrusion prevention. Theyre expensive, and they look a lot like network gear, which kind of involves everybody. These arent products you just put into your infrastructure—you really have to understand how they affect how your packets are sent both inside and outside the company.
As for Sarbanes-Oxley and the other laws that we have to support—we have to make sure that our systems reveal what needs to be revealed to be in compliance, and thats work also.
Do any of you find that you have to spend more time talking to corporate counsel or human resources or other administrative departments within the organization than was the case four or five years ago, to find out what theyre going to need from you in terms of the visibility of data that Gary has just talked about?
Rosen: Im actually finding the opposite—theyre coming to us so that we can translate what [the legislative and regulatory mandates] are going to require.
Gunnerson: I think its healthy, actually, because now were all talking about the same systems and applications. Before, it used to be, “You do your job, and well do ours,” and we didnt interact on a regular basis. Its forced us to have some conversations that werent required before.
Do you feel that non-IT people tend to be more cognizant than before about what IT can and cannot do?
Gunnerson: Theres a pretty good understanding from pretty much everybody, mainly because theyve grown up with computing in their homes and theyve suffered the slings and arrows of viruses and software upgrades and all kinds of nasty stuff. I think the basic understanding of what computers are about and their inherent problems are obvious to almost everyone.
Benincasa: We communicate a lot with our users whenever we have to, for example, take some action to increase security. We tell them what were doing and why were doing it, and, in a lot of cases, the users are pretty understanding. They dont like some of the inconveniences, but they know the risks to the network and the data if we dont protect them.
Frank, I know at Bose you have pretty definite control of system configuration and so on. Have you found that user acceptance of a managed configuration for personal computing has increased as end users have started to see the costs of not having that coordination and control?
Calabrese: Well, weve been doing our darndest to bring that in as a mandate—that unless there is a very justifiable reason not to stay within that single-image, patch-managed, asset-managed environment, you do have to stay there. People understand the ramifications and understand the impact to the business. So what it comes down to is, Does your desire to have your own configured system outweigh our ability to run our enterprise systems? We feel the enterprise systems are more important.
The vulnerabilities in home
Bob, as part of the National Institutes of Health, youre in an environment where the independence of research is a real part of the culture. Do you find that users acceptance of configuration management and what you do with their systems has increased as the occurrence of various attacks and other vulnerabilities has become greater?
Rosen: A little bit. There are still a lot of people who cant stand it and dont want it and wont have it. But when they get personally hit, that seems to make all the difference in the world. When, all of a sudden, theyre inconvenienced or their work is shut down or lost or whatever, they become much more amenable to having us keep their systems up-to-date.
Gunnerson: Were seeing conversions one Trojan at a time.
Do you find that your need to do basic end-user training and support is on the decline at all as more people start to come into the work force having worked with technology since they were high-school age or even younger?
Gunnerson: I would say yes. Standard applications are known well enough that people can do their jobs. But what were seeing is that, as threats arise, there needs to be education about the vulnerabilities in home processes, especially if you have a VPN. People are having a problem with their kids getting adware all over their systems, for example, and they want to know how to fix it. Those are the kinds of things we try to deal with proactively.
Thats been something that all of you have focused on, right? People working from home or other remote environments and needing to be sure the remote nodes are configured as well as office systems are?
Calabrese: Yes. Weve put a Bose-owned asset in their home—a Bose-owned laptop or a Bose-owned desktop— and the access rights and permissions and the security levels and such are all preset on those machines. Theres no deviation.
And those are the only devices allowed to connect, even through a VPN?
Calabrese: Yes. Now, there are some challenges, again because of the education of the users. People understand, “Gee, I can connect this to my home network, and I can take advantage of resources on my home network. I know I can, so why are you preventing me?” We have to address those issues. We have to address why you cant load the software that the hotel gives you in order to connect to the hotels broadband network, or why you shouldnt add the software that your DSL provider gives you but that you should go out and buy a router.
We have a policy, and we adhere to the policy. Im not necessarily saying its the best policy. It certainly is not cost-effective to outfit everyone who needs access to the corporation with a corporate-owned asset. It either means a more expensive laptop device, or it means two PCs and two licenses for everything. It would be far more convenient if we could leverage this ubiquitous computing thing and allow many of the things that we dont by policy—like access from handhelds, like access from Starbucks. But, right now, our security model is such that those are just things that we cant absorb yet.
Outsourcing and open source
It sounds as if managing network access from diverse points of entry and constantly supporting and refining the security posture are really occupying a huge fraction of all of your bandwidth these days.
Benincasa: In the past, we had a lot more time to work on improvement projects. Today, a big percentage of our time is spent on day-to-day activities and security. Fighting the issues doesnt keep us from doing other projects, but a project that might have taken us two weeks in the past would take us four weeks now. We just have less time to spend on the future.
In this presidential campaign season, the subject of outsourcing and offshoring of jobs, especially in IT, has had a pretty high profile. How is all this affecting you?
Benincasa: Were not really impacted by it. Were all in-house support. We use the outside very rarely.
Gunnerson: Were primarily a U.S. company. We have used offshore talent on occasion, usually on a project basis and only when it helps us speed our time to market. … So far its not so much support as it is programming.
Is anyone looking hard at the notion of moving away from mainstream applications to open-source?
Gunnerson: I think thats always a consideration. … The question becomes, When is there a close-enough desktop derivative in the open-source field that will allow me to move or coexist?
And you feel that you have your radar on that all the time and that when it happens youll be aware of it but it hasnt happened yet?
Gunnerson: Exactly. If there were a compelling monetary reason, wed go after it immediately. I mean, if it was millions of dollars saved, thatd be one thing. But its not millions of dollars saved at this time; its more like risk avoidance because you want to have multiple platforms in case one of them gets severely hacked.
What were seeing is that the applications that were available on open-source platforms were good a couple of years ago. Theyve had two years to get better, and theyve gotten better. The other vendors that have databases and application front ends and app servers have made progress, too, but I think the folks in open source are catching up pretty well. Were starting to see parity. Once you have parity and theres an opportunity to move off of a proprietary platform, you will.
Do you feel the range of choices available is on the increase or the decrease, generally speaking? And is it taking up more or less of your time to stay aware of those options?
Benincasa: I think the choices are increasing. Were actively working on an OpenOffice.org rollout, and thats something that a few years back wasnt even an option. So were seeing that there are alternatives. Look at Linux. Were doing some prototyping and using its terminal services, if you will, not only for low-end machines and shop machines but also as a possibility for remote access. Were looking at all these other options that maybe two or three years ago didnt exist.
Calabrese: On the Linux side, we are playing in that realm, the difference being continuity and predictability of service. Weve gotten it to the point where stuff with a Microsoft logo on it is pretty reliable, and when we do hit a fail point, we can recover from it pretty fast and pretty predictably. Granted, [these products are] the favorite target for viruses and worms and such, but when we get those, we recover from them pretty fast. Weve yet to see an alternate operating system virus in-house, and I can say that Im not sure how long it would take me to recover from one.
In terms of looking ahead to the next year or two, in what areas do you see yourselves having to acquire additional skills or resources?
Calabrese: Our goal is to target faster delivery of service. I dont think there is a person here with a computer at their disposal who would be able to function through to the end of the day were that computer to be down for any reason.
The minute one computer is down, let alone several computers, we start ticking off lost dollars. So it really is a race.
That time to response has to be shrunk, and the only way to do it is to take and apply more intelligent approaches.
What about disruptions to IT that are not the result of malice but are just ordinary flakiness in the system? Are you finding that systems are generally more reliable?
Calabrese: Again, as a matter of necessity, in part because of the frequent occurrence of patching, weve had to really hammer down the standard compute model. Of course, the downside is, if I send out an update to 2,000 computers, Im just as likely to kill all 2,000.
Gunnerson: On the server side, we have more of a feeling of the danger that Frank just talked about: What, if any, of the patches might clobber the applications were running? The real trick on some of this is you run [a patch] and see if things die. Or you say, “Do I really need to do that one, or is the threat low enough that I can wait until the next patch cycle to make it happen?”
Benincasa: On workstations, were pretty much deploying patches as they get released. On servers, were normally a little bit behind the curve because our concerns are mostly on the servers. We dont have a big-enough test lab to test every circumstance of every application that were running.
So, do you rely to some extent on waiting to see what happens when other people deploy?
Benincasa: Yes, and we wait to see if theres information from the news magazines, etc., about a patch being deployed and destroying an application, that type of thing. You also get a fairly good feel, even though youre not running the applications per se on the workstation, when all of a sudden the workstation is failing—it kind of gives you a feel of how clean the patch is.
Are you spending more time scanning and monitoring?
Benincasa: Oh, definitely.
Do you think you will continue to spend more time on these tasks, or are tools becoming available that will ease the burden?
Benincasa: I think the tools are getting better, but I think the tools will always remain behind the attacks because the attacks are targeting things that no one is thinking about. Were protecting things today, but somebody will attack something in two weeks that nobodys even thought about. I dont know how that will ever be eliminated. I think thats the nature of it.
The problem with legislation
Do you feel a need for a stronger dialogue between the IT profession and legislators and regulators so that the right kind of laws get passed as opposed to well-intentioned laws that completely misunderstand the situation? Or is the law just not a very effective mechanism for dealing with the problems that you face?
Benincasa: Unfortunately, the laws are only going to be U.S.-based. You can get attacked from anywhere in the world. Unless youve got some uniformity, the European community and the U.S. community can pass as many laws as they want, but youve still got a lot of other countries that can perpetuate attacks.
So, as far as youre concerned, the laws and the regulatory bodies are unable to make a meaningful contribution here?
Rosen: Weve got worldwide problems, but we dont have worldwide laws.
It sounds as if we have some agreement here—that the change in the threat environment from one where you can be reactive versus one where you have to be proactive demands that some real questions be asked and answered. For example, how much does it cost to have the appropriate level of protection in terms of compute power, and is the technology really ready to use?
Calabrese: You can add one more piece to it: The [vendors] Im talking to are looking for a two-year commitment. So Im being asked to sign a two-year contract for technology that is appropriate today but that I wouldnt have known I would have been concerned with two years ago.
Gunnerson: I think you need to tap into the realities of the technology change and make sure that the contracts are appropriately worded. … If youre going to be locked in to something for 24 months, put the wording in there that says there will be a technology escalation review at 12 months, where you can actually make sure that the contract and the relationship between the two parties are cognizant that technology is changing. I think youll be OK then.