Information Security

What is the biggest challenge in getting a job as a first-time CIO? Is it out-competing others who look similar on paper?

I think there is a tremendous amount of competition. Most of the CIO positions out there are usually going through some type of an executive recruiting network. The recruiters I talked to don't usually pull up a set of criteria in a database online. One recruiter I talked to doesn't even recommend candidates putting information into an executive recruiting online database, because most executive recruiters aren't going to use it. They're going to look to the contacts and network of sitting CIOs or deputy CIOs to ask if there is someone on their staff or someone they know.
You became CIO of the World Wildlife Fund at age 37. What helped you most to get that job?

I was recruited for it. I did not approach an executive recruiter for that position; they approached me, at the recommendation of another sitting CIO. I had established my credentials in the private and for-profit sector. I had gotten experience with a variety of technologies at some pretty tier-one organizations: it was Sallie Mae on the financial services side, and PricewaterhouseCoopers on the consulting side. I had gotten all my tickets punched. I got my technical MBA at Johns Hopkins University. I actually took it a step farther. A year after I obtained by graduate degree I started teaching as an adjunct faculty at Johns Hopkins -- intentionally.
As a way to increase your network?

Increase my network, increase my exposure. As an adjunct faculty I was giving back to the IT community and the educational community, but at the same time I was greasing the skids for easier access to publications. When someone was looking at my bio and saw I was a director of this, a tech MBA and teach at a graduate level, when I submitted articles I believe they had a little more merit behind them.
What's the biggest mistake you made in plotting your career?

I'm not sure that I made any.
None?

I really don't think that I have. I've gotten consulting experience, I've gotten for-profit experience, I've gotten Big Five experience, I got my tech MBA, I've got publishing experience, I've got my graduate adjunct faculty. The only thing that I would -- I don't know if this is really a mistake. I was about to say, started my graduate work earlier. But Hopkins wouldn't really let me enroll in the program until I had a specific number of years of business experience.
Fifty percent of your experience is in consulting, and you strongly recommend that aspiring CIOs work as consultants. Why?

You've got to get both sides of the fence if you want to be a viable CIO. You have to understand the consulting proposition. You have to know also how to manage consultants and vendors.

Being a consultant makes you a little bit humble. There are many instances where you have to sidestep and put the brakes on what you may know technically or business wise. You may have to deal with a client or a customer that is not that smart or that doesn't know as much as you do, and you've got to figure out creative and diplomatic ways to get that customer on board or eliminate any roadblocks that the customer may be putting up. In the organizations that use consultants regularly, some of the internal employees are a little bit jaded. They're thinking, 'Why did we have to go to the outside, when we could have probably done this on the inside.' Serving in a consulting role gives you far more experience than flat-out IT experience.
Define for us what you call in your book "the IT glasshouse."

I define the glasshouse as the central IT management infrastructure of the past where all decisions, all the systems and all the policies were pretty much made within the IT shop. If you had to classify it as a government, it would be an IT monarchy. Today, I don't believe that works. I am not a fan of 100% decentralized IT, where managers and staff are completely decentralized and put into business units. I am not saying do a 180-degree from the old model. But I do think that today's CIOs need to work more with the business units and customers of their organizations and form better relations to share the risks, responsibilities and project sponsorship, as opposed to assuming the responsibility in IT or forcing a system on a business unit.
There is a lot of talk about letting your business units take responsibility for the technology they use. But how do you do that? Do you get it in writing?

I do. But I don't let them take responsibility for the technology. I let them take responsibility for the business process that drives the solution. So when we are looking at doing a requirement analysis for trying to solve some problem or drive some goal, whether it is increasing revenue or something else, when we put budgeted dollars toward the project, we use an organizational structure that integrates with the project manager in the business unit itself. I bolt on an IT lead and have at least one business VP take accountability as co-executive sponsors. At the end of the day if I don't get signature from a business unit sponsor for a business unit application, I will not press forward. I make the calls for infrastructure, for security, all those good things. That is my job. But if we are looking for a CRM system, for example, to help drive donor management, the CIO should not own that system. IT should be owned by the business unit that is responsible for the revenue.

I have a simple phrase: IT drives technology decisions. The business units drive application business technology.
I thought it was refreshing to read in your book that a CIO should have a solid grounding in technology, because so much of what you hear now is that this position is being taken over by businesspeople.

I just met one the other day. A new CIO from the business unit, and I think he's scared. Think about it. I take the inverse view that businesspeople can do the job. I think it is way off, and I am not shy in stating that. Look, this is a profession that in my case includes 20 years of work experience at some of the best companies in America. I have gotten a top-tier education. If you combine all that together, I am somewhere in the 28-year range of progressive IT skills and experience, managing technology and applying it to business. Now, would you hire someone who came up that track, who had all that experience in IT, to head up your financial organization? I wouldn't.
The flip side is why is it hard for technical people to speak in business terms?

Given the amount of time they work on the technology side versus the amount of time they spend in the business unit side, it is so easy to lapse back into all of the different acronyms and the lingo the technology people use. I'll be honest. I have to force myself to be conscious of the fact that when I am speaking to a nontechnical audience to not be too technical. I have to force myself, today, and I am a sitting CIO with a new book out giving guidance to others on how to follow in my footsteps. It's hard.
Does it have anything to do with the notion that the kind of people attracted to technology are very concrete in their thinking; they simply think in a different way from businesspeople?

Working in the technology area takes an analytical, top-down, logical, process-oriented person. That said, I think at some point in their career they have to force themselves to branch off and submerse themselves in an environment, like an MBA, which makes them recognize the other side of the fence and to think like a business person. The technology field attracts far more the introvert than the extrovert. I probably started out as a pretty strong-typed introvert and became a forced extrovert as a result of going up the ladder.
When did you turn outward?

When I realized that it was absolutely one of the most important skills needed for an IT executive to have excellent communication skills.
How long did it take you to hone your presentation skills?

Oh gosh. I'll give you the answer in the form of advice given to me from one of my mentors. I asked how long it would be before I was completely comfortable giving presentations to an audience I had never met before. The answer was, once you've done your first 100 or so, you'll get the hang of it.
Your book's title is Straight to the Top, and top for you is CIO. Do you ever think there is somewhere else to go once you're a CIO?

Absolutely. I think it is the next-generation track to chief operating officer, and potentially a CEO of a technology company. I can tell that my career aspirations include one or two of these tracks.
You devoted an entire chapter to golf. I found that a bit shocking.

It wasn't the whole chapter. Half of it was about the vendor management function. I talk about the importance of relying on vendors, having a vendor management strategy, in my case reducing the overall number of vendors, and distinguishing between commodity-based vendors and strategic vendors. I consider Dell a commodity-based vendor. I buy stuff from them and put it in. A strategic vendor will actually help me go from Point A to Point B. It might be a CRM vendor. It might be a consulting vendor. And I talk about that whole process of how do you manage and scorecard your vendor and different approaches for doing that. And I ask other CIOs how they do it. So you'll see stuff about outsourcing.

Then, halfway through Chapter 8 is when I start talking about integrating sports to build your relationships and to grow your network and build stronger relationships with your vendors.
But why go out with them at all, especially given the sensitivity about conflict of interest these days?

Well, let me ask you, define conflict of interest.
There are some companies that say don't even go out for a cup of coffee with your vendors, because you don't need to be friends with them or beholden.

That would be the federal government. And you know what? I understand why they do it. But I don't think that a cup of coffee is going to materially make a difference in the decision to purchase goods or services. I think the federal government has just decided to take that track. But I take the issue beyond the level of the CIO. How many CEOs do you know who go out and have dinner with some of their partners and vendors and colleagues? And how many CEOs and presidents do you see on the golf course? I can tell you I played golf in a tournament and John Thompson was there. He is not a CIO. He is the CEO for Symantec.

It doesn't have to be about who pays for what, as I clarified in my book. My guidance to people is, check what your policies are. If there is a no-pay policy, fine, pay for yourself. There are some clear benefits of getting out of the office and spending some time with people, getting to know them. And at the end of the day, because I have a better relationship both professionally and through sports, I have several vendors who I can pick up the phone and say, 'Listen Tom, I need this done, you need to help me out with this.' Now granted, they should be able to do that regardless, as a vendor. But it doesn't work that way. And if you look at the quotes from the vendors in the book, people tend to reciprocate, form partnerships and get more stuff done, cut through the [bull], when they have a better relationship. And I have found that a 30-minute meeting in my office doesn't get me a better relationship with a strategic vendor.
Another piece of advice you give is that a CIO has to think like a chief financial officer. Why?

If you don't start thinking like a CFO, you're going to be reporting to one.
What is so bad about reporting to the CFO?

Because historically, CIOs who report to CFOs are doing so because the CFO is not comfortable with their financial management skills, or the CIOs need to be reined in on their cost controls. The other research that I found is that CIOs who reported in to the CFO spent overall less percent of the company's revenue than those that didn't. A CFO's job is internal controls, audit, cost containment, financial management and reporting. I don't think that is the best creative place to put a potential innovator and catalyst, such as the CIO, who interfaces with just about everybody. There is no other executive that touches every other point of the organization.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Gregory Smith, author of "Straight to the Top: Becoming a World-Class CIO" and CIO of the World Wildlife Fund, talks about his carefully plotted route to the executive ranks and offers some tips for aspiring CIOs.

Why did you decide to add the CIO track to this year's show?

Instead of just having the vendors up there, talking about their strategies in a vacuum, when we involve the CIOs, we are able to add some reality into the mix.

They are able to give feedback, saying 'You know what? That iteration of a dual-license model really wouldn't work in our case and here's why,' or 'The reason why we're not using open source applications is x, y and z, but if you solved those problems, then we would be happy to buy them.' So it made the conversation that much richer.
Are there companies that just shouldn't use open source?

It depends. For example, if the company has Windows running everywhere and wants to use Microsoft SharePoint, it probably wouldn't make much sense given how SharePoint integrates with [Internet Authentication Service], with their database, with the range of things Microsoft offers. It probably wouldn't make much sense for them to go out and find an open source content management system like Mambo or some other alternative. But for companies that have a mixed environment, then absolutely, open source should appeal to them. Generally speaking, I think the answer is that open source does measure up and they should at least give it a look. The great thing about open source is that you can try [it] before you buy [it] and if it proves to be weak or not fitting for the company's needs, delete it and no money [is] lost. Time lost, but no money lost.
Should SMBs do things differently than enterprises?

I think they should look at open source differently, definitely, because a company like Fidelity [Investments], which has a $2 billion a year IT budget, can obviously afford to tweak the code if they need to or play around with open source in a more experimental fashion. SMB buyers need to look at companies like SpikeSource and others that take a lot of the complexity out of using open source. I definitely think that they need to be looking for an integrator or an [enterprise application integration]-type vendor to make the open source adoption curve much easier for them.
Is there a major trend that you wanted to make sure was included in this year's show?

It was four years ago when we saw the rise of the first wave of open source at the operating system level. A few years later, we're now in the middle of the second wave of middleware infrastructure; databases with MySQL and JBoss proving themselves and doing quite well financially.

We are now on the cusp of the third wave and this is probably the biggest trend that'll be covered at this year's event, and that is the rise of open source applications. What's interesting about this third wave is we're no longer in the realm of successful open source projects that grow up to be enterprises, like Red Hat and Novell. Instead, what we're having is commercial entities, from the beginning, creating excellent code and choosing to release it as open source. It's just changing the way enterprises think about software and think about buying software, and I think that's a huge trend that will just continue and affect every single vendor in the world. There just won't be any vendor that can withstand the pricing and distribution pressure that open source will have going forward.
So you're talking about these waves. What does the future of open source look like?

I think [the third wave] is going to be the big trend for the next five years. I think it's going to be the next five years at least as we see these new Bohemians and as we watch large established vendors try to turn their ships around and become like more open source companies. That's not to say that Oracle is going to open up its code tomorrow. All of this has little to do with source code itself and more to do with the idea of pricing on a subscription basis, and having a lower cost structure and distributing through the Internet rather with big, direct sales forces.
What are three things that every CIO should be able to tell their CEO or CFO about open source?

I think they should be able to intelligently talk through real legal risks and opportunities around open source.

I think they need to be able to address TCO. It's shocking. Forrester [Research] did a report on TCO studies and found that most enterprises don't actually have any clear idea of how much any of their software costs them. They don't have the ability to compare what open source would cost them vis-À-vis their closed source counterparts because they don't really know what their close sourced counterparts are currently costing them in terms of manpower, etc. So I think the other thing that they need to be able to intelligently discuss is personalized TCO for their enterprise, have a grip on how much it actually costs them to deploy the software they have now.

The third thing would be migration costs. What would it cost to move from what they're currently on? As open source becomes more and more of an issue that the Wall Street Journal and The New York Times, etc., cover, the CIO needs to be able to answer the TCO and legal issues that surround it. [Because] the CEO is going to be reading about it all the time, going back to the CIO asking, 'Hey, I've heard about this. It looks big, JP Morgan is behind it, Putnam [Investments] is behind it, what are we doing with it and why aren't we doing more?'

For more information on OSBC and this year's show, visit their Web site.

This year's Open Source Business Conference (OSBC), being held in Boston next month, is different from past years in that there is now a track for CIOs. Why? According to Matt Asay, conference director and director of Novell's Linux Business Office and Open Source Review Board, it's because open source has arrived -- in the executive suites. Asay recently took some time to discuss with SearchCIO.com what CIOs should know about open source.

Where did the idea of compliance officers come from?

The industry that developed compliance officers first was the defense industry. Back in the mid-1980s, a whole bunch of defense contractors got into trouble. There was fraud, waste and abuse in the news, and President Reagan, in order to stem the tide, asked Deputy Secretary of Defense David Packard to form a commission. The Packard Commission recommended that clean up its own house.
I remember those overpriced toilet seats.

A funny aside, we had a vice president at United Technologies Corp., who was the first director of the office of federal procurement policy, but then went to work for us. He was asked to testify because of his prior position. They asked him what he thought about the $8,000 toilet seat, and his comment was, 'I don't want to take a position on that.' That's the only comment that made it into the news.

A whole bunch of CEOs got together after that and they developed what they called DII, the Defense Industry Initiatives, to write codes of ethics and develop programs. The outgrowth of that was having compliance officers to be responsible for developing those programs.
What's your view on the expense of compliance?

I would like to split out SOX [Sarbanes-Oxley Act] from general compliance. Prior to SOX, compliance programs consisted of things that were more than financial issues. Now along comes SOX, and what SOX says is your financials needs to be documented. How you handle your books and records needs to be documented. Some people might have said, 'Gee, weren't they documented before?' To a large extent they were, but over time some of those procedures changed, and the documentation wasn't changed. What became expensive was the interpretation of SOX, the testing, the requirement of having another set of auditors besides your independent auditors. So everybody is trying to do this thing completely right, and because this is a first-time effort, even companies that might have thought they were compliant prior to SOX, they are spending the money to make sure they are compliant.
There's a code of ethics that is kind of built into the military, where you worked previously, but there doesn't seem to be anything quite like that in the business world.

You're absolutely right.
The former CEO and other senior executives have been indicted on fraud charges. [CEO Sanjay Kumar and CA's former head of worldwide sales, Stephen Richards, have pleaded not guilty. Others have pleaded guilty to charges of securities fraud or obstruction of justice.] Do you think punishment is the only way to prevent misdeeds in business?

Wow. There are two answers. I don't know what else you can do with respect to misdeeds other than to punish. But I do know that if boards of directors and shareholders are not savvy to the fact that if there are individuals who have done the wrong thing, and the boards and shareholders haven't done the proper background checks in hiring those people later on, that is a huge mistake on the part of corporations -- to allow someone who has been punished for misdeeds, and then putting them back in the driver's seat should be a real negative in the business world.
Do you have to spend a lot of time reining in the tendency in people to win? Business is extremely competitive, and the desire to win at any cost, I think is pretty strong among very successful people.

No question about that. The desire to win is an important ingredient in business, and you really don't want to impede that desire to win. What you want to make sure is that everybody understands that the desire has to be measured with doing it the right way. I have to tell you that one of the things I talk to ethics officers about all the time is that you can sit there constantly and say no, no, no, you can't do this and you can't do that, and that may be one way to do your job. A better way to go about your job is to work with business and say, what is it that you're trying to accomplish and let's find the right way to do it.
Your job is not really to be a preacher, I guess.

If I end up being a preacher, I'm dead. People don't want to be lectured to. Most people feel they have good values to begin with. What they need is some guidance in solutions that are good, positive and workable and still help them meet their goals. I use an example with sales all the time. I say, if you come to me and say, 'I want to bribe, is that OK?' the answer is no, it's not OK. But that's really not the question you wanted to ask me. You want to tell me what your problem is and we want to find a solution.
Can you give me an example of a gray area where you have to come in and mediate?

Sure. You're out negotiating sales maybe in a foreign location. Someone comes to you -- a potential customer -- and says, 'I would really like to come visit your facility to see how your operation works.' This may not be a Computer Associates problem because we don't do a lot of manufacturing, but a lot of companies do. So, the answer is, of course, but the potential customer wants you to pay for it and the question is, 'Can we do that?' The answer in most instances is absolutely. But the gray area comes in when you ask how much entertaining you can do while you are there -- and are there any stop-offs, like to Orlando or to Las Vegas? Is there walking around money? Taking them out to dinner while they are there is certainly acceptable. Where you start to get uncomfortable is going beyond that and taking side trips, shopping trips.
We talked a little bit about SOX. Is SOX is a good thing?

Absolutely. I actually wrote a paper saying be happy for Sarbanes-Oxley. There are some unintended consequences of Sarbanes-Oxley that make my life and everybody else's difficult, and one of them is the huge cost associated with it. But how do you argue a provision in the law that says you must document your controls? How can you argue against a provision that says you need to have a mechanism where your employees can bring accounting irregularities up through the system and the board and the suit committee can act on it? I think most people will tell you that the law itself is a very proper one
Is there anything that CIOs should know about chief compliance officers?

The message I would want chief information officers to be aware of is that compliance officers and chief information officers should be working hand in glove. Some of the best controls that I am aware of are controls that are developed between the compliance organization and the chief information officer's organization. The more we can automate controls, the more we can take the human element out of it, the more reliance our employees and shareholders can have on the system. The chief compliance officer and the chief information officer should be married at the hip.
Patrick Gnazzo was appointed senior vice president of business practices and chief compliance officer (CCO) at Computer Associates International Inc. in January. A former chief trial lawyer for the U.S. Department of the Navy and a United Technologies Corp. CCO for 10 years, Gnazzo came to CA as part of a deal with the federal government in which the company agreed to pay $225 million in restitution to shareholders and improve its compliance and ethics practices. Gnazzo has until Dec. 31 to get a program up and running. A frequent lecturer on ethics and compliance, he spoke with SearchCIO.com about what compliance officers do and why.

of sending proprietary business information off into the "cloud."

"The customers we work for have not asked for a hosted BPM solution because business process...

business continuity, information security, compliance and privacy, might undermine business performance as well as long-term goals and priorities.

Enterprise IT...