News Stay informed about the latest enterprise technology news and product updates.

IBM CIO talks IT risk management, mobile device security

IBM CIO Pat Toole talks about his role in IBM's IT risk management strategy, and how IBM is handling application development and mobile device security.

This is the second of a two-part interview with IBM CIO Pat Toole. In part 1, Toole talked about his role in the development and launch of Blue Insight, one of the world's largest private clouds; the consolidation of IBM's sprawling IT centers; and the importance of CIOs having a seat at the table in the C-level suite. In part 2, he discusses the evolution of the CIO role at IBM, the IT risk management concerns that keep him up at night, and the company's internal application development and mobile device security.

Pat ToolePat Toole, CIO, IBM

What responsibilities do you have for risk management?
I am responsible for IT risk management. In a broader context, I sit on an enterprise risk management committee that includes myself, the comptroller, the chief financial security officer and the general auditor. We are responsible for creating an enterprise risk management roadmap for the corporation. I have components directly related to IT, such as data protection. I also have my own IT risk management map that feeds into that.

What keeps you up at night in terms of IT risk management issues?
A growing concern is organized cybersecurity attacks by well-funded, sophisticated groups whose purpose is to steal our intellectual property. Another one is data leakage. Obviously, a company of our size, with all of our subcontractors, has to focus on making sure programs are in place to monitor data and know where the data is going. A third concern, of course, is malware attacks, which are more routine. However, [with malware attacks] the growing threat is to smartphones.

How are you handling the security aspects of personal smartphones?
Right now [our employees] are not allowed to connect to our VPN. But we have some pilots going on where people with a secure VPN connection can get at their mail, calendar and contacts. That's really what most employees want access to. What you have to worry about is when people get broad access to data on intranet sites and the ability to make attachments and move those attachments. We have to broaden this mobile device security because more and more people are working from home and using smartphones to access internal data. That is why one of my innovation teams here is focused on mobility.

Have you banned iPads here for any technical or philosophical reasons?
Oh no, we have a pilot with iPads now. We have developed some apps for iPads and BlackBerrys in order to get a feel for what productivity gains we can get. But they are just for internal use. We have a mobile apps store called Whirlwind that has 400 apps that are all homegrown.

IBM has one of the largest patent portfolios of any high-tech company. Does the company have a plan to fast-track some of these technologies into products?
We have some really interesting innovations in the area of solar cell technology. Another exciting one has to do with these plastic bottles that you can't organically decompose. Our researchers in California have developed a chemical process that helps organically decompose the bottles. We started working with a partner to figure out how to develop a low-cost manufacturing process that creates a chemical synthesis. But our druthers is to make it available for our own products.

You have some aggressive priorities for the IT organization, one of them being to achieve $11 per share by 2010 and $20 per share by 2015. What is IT's contribution to that?
We announced we will beat the $11 per share by the end of this year. The roadmap to the 2015 goal consists of organic growth and acquisitions. But it is also made up of things like productivity and share buybacks and pension plans. So, when I work with the business units to develop our business plans, I look at how they are going to affect the earnings-per-share model and [at] how much will it contribute. Our business case gets signed off on by the IBM comptroller, and is baked into our operational plans.

A growing concern is organized cybersecurity attacks by well-funded, sophisticated groups whose purpose is to steal our intellectual property. Another one is data leakage.

Pat Toole, CIO, IBM

The evolution of the CIO role at IBM has been interesting. At one point the company had more than 100 CIOs spread throughout the company. How did it evolve down to one?
It started in the 1990s, when the company was thinking about breaking up into separate entities and so many units became self-sufficient. But when Lou Gerstner came in and saw that the real power of the company was in the integration of the divisions, we began to centralize. By 2006, we started moving the company toward this model of a globally integrated enterprise. But to do that, we had to create global enterprise-process templates. We kept driving the model towards a consolidated shared service for business transformation in IT. So, now there is this single shared service.

You have broken down the IT organization into three teams called Run, Transform and Integrate. How do they work together?
The Run team works very closely with our outsourcing partner, which is IBM Global Services, on all the infrastructure stuff. They have charge of the business units' portfolio of applications from an operational perspective. That team looks at the business processes end to end, along with the apps required to run those processes. They make sure our infrastructure has the availability, and the right structure and investments to deliver the operational metrics.

The Transform team looks at initiatives that transform the company. This is what I meant in terms of things tied to achieving the earnings-per-share roadmap, along with working on large strategic projects and enterprise risk management and compliance.

The Integrate team is embedded into the business units and geographies that help us to understand the requirements those groups need. They work closely with the other two groups on rollouts, and are involved with the business on a day-to-day basis.

Let us know what you think about the story; email

Dig Deeper on Risk and compliance strategies and best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.