IT security and risk was a high-stakes game in the Great Recession. The familiar adage of doing more with less started looking like doing more with nothing as the downturn wore on. That was the note sounded, anyway, as we checked back with some of the CIOs and chief information security officers whose IT security projects we profiled in 2009.
To accomplish what needed to be done, some discovered they had to take big risks in order to minimize risks. For example: making a bet on a startup vendor, putting their jobs on the line to change entrenched behaviors, or just changing how business got done, period, as layoffs forced more automation. (One CIO was troubled that the very automation that IT facilitated this year means fewer jobs in the future.)
Whether security will be such a high-risk endeavor in 2010, or as fraught with moral dilemmas, remains to be seen. But here are some tactics -- and attitudes -- that served your peers well in 2009. We hope they can augment your IT security and risk management practices in 2010.
Taking a risk on a young vendor can pay off.
Chuck Christian, CIO of Good Samaritan Hospital in Vincennes, Ind., implemented the single sign-on (SSO) solution we profiled in March. The technology is certainly a prudent investment for institutions that must comply with HIPAA regulations, but the only affordable option for Christian was to take a chance on a newbie vendor, Lexington, Mass.-based Imprivata Inc. He has an annual IT budget of $3 million and a staff of 27.
Yet Christian said had he realized just how young Imprivata was -- a startup -- he might have gone in a different direction or not done the project at all, even though his team did due diligence. But the partnership has continued to pay dividends.
"The lesson learned for me is that sometimes what appears to be a risk may not be that large a risk. There is a certain amount of risk you have to take in order to get economies along the way," he said.
Listening to irate users without getting defensive can lead to novel solutions.
Among the pointers Christian offered for implementing SSO in our initial write-up was keeping the look and feel of SSO solutions on different systems the same to avoid confusion. That insight came out of the sometimes heated feedback he got from frustrated physicians.
"One of the things I have learned is to listen and keep my mouth shut. I learn from the physicians. Sometimes it is a tirade, but if you are listening, many times they will give you the solution embedded in what happens to be, at that time, a one-way conversation. So I have learned to listen to listen, rather than listening to formulate my next response for the debate," he said.
Indeed, feedback from physicians spurred a pilot project in virtual desktop infrastructure. "What they want is to be able to log on to a workstation, end that session in the middle of what they are doing, lock the workstation, go to another and be right back to where they were," he said.
Automating processes saves money but exacts a price.
Christian did not have to lay off people this year, but he did not fill the position of a person who left, thanks in part to re-engineering. "We took a hard look at what work was being done and when, and who needed to do it," he said. By automating much of the nightly routines in IT operations, he was able to move those night employees to day shifts and consequently bring an outsourced help desk function back in-house, another cost-saver.
But automation exacts a price. Christian said he experienced a moment of pause recently while listening to a report on the economy. "The good news is that our productivity has increased. The bad news is, that it is having a negative impact upon the jobs market. The downside of our getting better at doing things creates less opportunity to create jobs that people really and truly need," he said.
A perennial favorite: Talking security in terms the business understands is key.
When CIO Dennis Lauer arrived in 2007 at Millennium Challenge Corp. (MCC), a new, fast-growing federal agency aimed at reducing global poverty, he needed to overhaul its information security program. There was no process for patching, no encryption, no secure network connectivity and 23 outstanding financial and Federal Information Security Management Act violations. Vulnerability scanning implemented shortly after Lauer arrived showed the agency in grave security danger.
I learn from the physicians. Sometimes it is a tirade, but if you are listening, many times they will give you the solution embedded in what happens to be, at that time, a one-way conversation.
Chuck Christian, CIO, Good Samaritan Hospital
Even so, the pushback from users for adopting IT security practices was strong, convincing Lauer to launch an intensive eight-month, global education program that touched all the top brass and every MCC unit around the world. He also implemented a security dashboard that translates security metrics into terms management understood, including letter grades.
The overhaul has not come cheap; it was built on the back of a previously approved $600,000 technology refresh, Lauer said. But security would not have improved without the education program and without learning how to talk security in terms the business could appreciate.
Hiring an outside contractor to oversee an IT services provider sharpens security services.
One other change Lauer made that he stands by: hiring an outside consulting firm to oversee the security services provided by MCC's IT service provider, Computer Sciences Corp. (CSC). Government hiring is such a hassle that many agencies end up using the same vendor for many services, Lauer said. But having a third party oversee CSC's security services has realized enough cost benefits to convince Lauer to expand the oversight to other areas of the IT services.
In addition, the improved security is enabling MCC to move on to other projects, such as enterprise content management and data organization. "These are things we had to shelve while we fixed the infrastructure in security," he said.
Reinforcing user training with daily updates provides inexpensive, ongoing security awareness.
As a government agency, MCC is required to give users annual refresher courses in security protocols. "Sometimes that can be very expensive, especially for international organizations," he said. To reinforce security awareness training, Lauer has implemented a daily quiz called "Tips of the Day."
Rather than convene once a year, users are required to answer a security question related to IT when they log in. "That's 10 seconds a day someone has to spend answering a security question, versus bringing everyone in a room for an hour, once a year. It's pretty effective."
Let us know what you think about the story; email: Linda Tucci, Senior News Writer.