Risk

Who do you report to?

The COO [chief operating officer]. We don't have a dedicated CIO role right now; our CTO is largely performing that function. However, my boss is a former CIO. The CTO and I report to the COO.
What percentage of your job is spent working on compliance regulations?

In 2004, I spent approximately 40% of my time on compliance. Things really fired up in 2004. When I came on board, compliance activities had been building for at least the last 12 months. I was originally hired NOT to do compliance directly. I was to handle the security aspects of compliance only. Then last fall, my boss asked for me to become corporate compliance officer, in addition to my role as CSO. So now I'm involved with other compliance issues. There was no single, executive-level focal point before I took it over. Prior to that, each business unit would identify their issues and address compliance at their own levels.
Do you have any other staff dedicated to compliance?

I have one full-time coordinator and two part-time coordinators working on compliance. We also involve the appropriate business people. The full-time coordinator is a temporary position, ending later this year (2005). Then we'll be relying upon the part-time positions to provide program coordination and help the individual contributors when they have problems. The full-time temporary person was needed initially to get the program on its feet.
What compliance regulations have you had to comply with in the past year? Which were the most challenging?

In 2004, our emphasis was on two areas. First with Visa. Visa has a cardholder information security program. We had to demonstrate compliance with that. Most people might not consider Visa compliance as a big deal compared with SOX [Sarbanes-Oxley] or GLBA [Gramm-Leach-Bliley Act] -- but it was important to our organization. There were real consequences if we didn't meet their test -- they could revoke our right to process Visa transactions. Visa has to approve anyone that wants to process transactions. This security program is a big strategic initiative for them. It also includes a lot of risk for us -- considering we could lose a huge revenue stream.

The other big regulation challenge in 2004 was getting our SAS 70 Type 2 compliance report. We needed to get this report for our customers -- all financial institutions. SAS 70 is a third-party attestation, a common instrument used when two parties work closely together and they want to make sure the other is doing what they're contractually obligated to do. When a bank outsources work to a vendor, examining the SAS 70 report is typically part of the financial institution's risk management program. The banks will look for certain controls in the vendor's organization.

It's an annual event for us; 2004 was our first one. Industry-wide, the increased emphasis on SAS 70, which has been around for quite some time now, has developed as a direct result of increased regulatory pressure on financial institutions. Financial institutions need to demonstrate good risk management practices when they are working with particular vendors or service providers. It's a reality for any financial institution because almost all of them outsource some aspect of their IT or tech operations, thus placing customer date at risk.
You're not a publicly traded company, so you didn't have to meet the SOX deadline. But do you have to meet any of the guidelines indirectly since you work with mostly publicly traded companies?

We have decided to adopt various aspects of the SOX requirements. We think it's just a matter of good business practice. We're currently analyzing now which practices we should adopt and how and when to do it. Most business leaders would probably tell you that if you're a company today that's not subject to SOX or other major regulations, it's just a matter of time before you will be. Eventually, I believe the government will extend these requirements to nonpublic institutions.
All of your customers are financial institutions. Is there even more pressure from them for you to be 100% compliant at all time?

Yes. Since we only serve financial institutions, we are getting increased pressure. I believe there are two specific reasons. First, the auditors themselves are getting more sophisticated on how they evaluate financial institutions. Secondly, the regulations are getting much more strict. As most people know, it's a common practice among financial institutions to outsource some or all of their IT to TSPs [technology service providers]. The regulators have guidelines that tell financial institutions how they should manage TSPs. One specific requirement is that financial institutions can not outsource risk management.

Banks in the past have tended to implicitly outsource risk management along with the systems. Regulators are now demanding that financial institutions prove they are actively conducting risk management on any technology outsourcing contracts. One thing we try to do is recognize what the burden is on the customer. From the auditors -- we try to deliver our services in a way that they meet that burden of proof. We see a lot of the compliance work we do on behalf of our customers as a way to differentiate ourselves in the market.
Do you send any work offshore? If so, is compliance an issue when working with an offshore customer or partner?

We don't send work offshore. We have customers who do that, though. We try to work with our customers on how to manage their risk with offshore partners. For example, we perform a certain amount of systems monitoring and forward anything we find to our customers. I'll give you a specific problem for which there is no easy answer: We bond all of our staff which requires a certain amount of background checking, which is fairly straightforward in the U.S. When a customer of ours is doing business with an offshore partner, our customer typically will want to perform similar background checks. However, it's not always clear how to do that with people overseas. It's usually an issue of how do you find a level of scrutiny that's equivalent to a check you've done with a U.S. worker. But, how does that work in India or wherever your offshore partner happens to be? What's considered to be equivalent?
Have you been audited for any compliance regulations? If so, did they uncover any issues?

Yes, we largely have had customers auditing us. In 2004, we had no less than 10 external audits. We also had six internal audits.

Issues have come up, but nothing I consider to be serious. One example is we had some faulty maintenance performed on an exterior door to our building. When the auditor was checking our physical perimeter, they found the door didn't close completely all the time. Even though that door provided no direct access to a protected area, the incident was noted in the report and we did a follow-up with the maintenance group to explain how important this issue was.

Some of our time and effort working with external auditors is spent working with auditors to help them interpret the regulations for our specific context. These regulations are very complex themselves. Issues brought up by the auditors are often matters of interpretation. We sometimes have to point out to the auditors that there isn't an issue and why -- typically because we have a different control or other compensating controls. But in the end, if the auditor is insistent, we will usually accept the issue and make the necessary changes for the customers. However, there have never been any real show stoppers.
Does the business side fully support any efforts and spending for compliance? Do they realize the value and importance of these initiatives?

Yes, for us it's very obvious. There's a clear connection between compliance and business success. We have no problems with having the business recognize the value of compliance. However, because there is so much compliance that needs to be done, the business often has a difficult time prioritizing what needs to get done.
I read that you have an off-site business continuity and disaster recovery site in Colorado. I assume DR/BC [Disaster Recovery/Business Continuance] plans are essential to the success of compliance regulations. Is that correct? Did you have this site set up before many of the regulations and auditors starting coming out?

There are several compliance initiatives that officially told us we had to have this; VISA CISP, for example. Even so, the reason we have DR/BC is that the business recognizes that the money spent today to ensure business continuity will pay off. You're talking about companies [our customers] that if they're not able to process transactions, the revenue loss for them could be astounding, much more than they are paying for the DR/BC plans. Therefore, the first priority is how to prevent loss of revenue. I think compliance issues are also addressed in there, but ensuring continuous revenue is our No. 1 goal here.
Do new customers ask about your compliance plans or situation? Is it as important to them?

We make sure our compliance goals are included in our initial marketing pitches -- we state we're very in-tuned with their compliance needs. In some cases we're more aware of their compliance regulations than they are. On their side, there's an initial line of questions about whether we're compliant -- basically to make sure we're credible. Most of the customer's effort then moves to making sure we can deliver on their technological goals and that we come in at a good price point. Once they know we're viable -- they'll do more due diligence on us. My point is that they're interested in our compliance efforts, but it's not their No. 1 priority. They want to make sure we can deliver the service first.
Kip Boyle was hired as chief security officer of Pemco Corp. in October 2003. Compliance was not originally part of the job. But as compliance activities grew and became more important at his organization, Boyle was asked to take on the role of corporate compliance officer -- in addition to his current role -- and oversee the company's compliance efforts. In this exclusive interview with SearchCIO.com, he discusses his most challenging compliance issues and how to deal with both internal and external audits.

Do you have a project earmarked for the budget increase?

One major initiative is in the business intelligence (BI) space.
What's BI going to do for you?

We're heavily regulated, so reports and data are extremely meaningful to us. We are working closely with business units to ensure that the data presented actually provides the information needed to make executive decisions. … Everything for the most part has been paper-based, and it works very well, but we're moving people over to an electronic base.
You still must deal with lots of paper files. Is that part of your responsibility?

Yes, it is, and it is eye-opening to me coming from the private sector. There is so much paper! Some of it is actually out of our control. We're working closely with the state to show that there are opportunities here to cut back on the use of paper and to use more electronic means.
Which software are you using for this project, and how many users will you have?

We are using the blended products of Business Objects and Crystal Decisions. We've had it for a couple of years now and have been very happy with it. We have approximately 3,000 people in the department, but it would be fraction of that using it -- in the high 1,000 range.
What are the main differences you're seeing between the private and public sector?

There's a fallacy out there about the quality of people who work for the government. I have great people; I wouldn't pick another team. The big hurdle to get over is the ability to adapt to change. That is probably our biggest stumbling block. We are a mature organization, so change takes time and a lot of perseverance by the leader.
Why did you leave the private sector for a job like this?

I left the private sector because I was truly enjoying myself as a consultant, but the travel was starting to get to me. Most of my engagements ended up on the East Coast. I have young kids; I had to make a decision.
How would you compare the bureaucracy of government with the bureaucracy of private enterprise?

They are comparable. This is 'Welcome to politics.' And I spent my career with 'Welcome to partnerships.' The private sector is revenue and bottom-line cost driven. When you come inside here, a lot of the decisions really are strictly risk-based. There is no revenue component other than 'Can you pull down more funding?' Much of the focus in government is around risk-management and exposure.
What kind of risk?

The risk of not meeting your mandated obligation. You have news media that is constantly there ready to publish anything that might look a little awry. You don't have to be an Enron to get headlines. That has people real antsy about making decisions, so you have to work within the political structure to keep things moving forward so people don't stagnate.
What is IT employment like in the L.A. area?

I tell people we're at a turning point. The county as an employer has benefited from the stagnant IT market in recent years. We've been able to pull in people -- and not underpay them -- but get them in for pay they may not have accepted before. I'm concerned about the turn coming. And I have talked to our Human Resources director about reassessing our competency-based skill pay system so we can anticipate the turn and stay competitive.

For Michael Sylvester, the business of information technology is a life and death matter. The CIO for the Human Services Agencies in Riverside County, Calif., since 2002, Sylvester oversees the operations that serve the county's most vulnerable -- the homeless and the abused. A math major at California Lutheran University, he earned his MBA from Pepperdine University before embarking on a career in the private sector that included stints at Unisys Corp., Cap Gemini Consulting and Ernst & Young LLP. Since then, Sylvester has found plenty of inspiration in the public sector, including a top-notch IT team. With a staff of about 120 and a $20 million IT budget, Sylvester is taking on one of the hallmarks of government bureaucracy: piles of paperwork.

How did you become a CIO?

The advantage of quality assurance is it takes you across all areas of the lifecycle development and touches on all aspects of everything NASA was doing because the software went through all the cycles.

The CIO that was there at the time formed a committee of people to keep him abreast of what was going on in IT areas across the context. Then he retired and the position became open, and I thought it was an interesting next step forward.

The advantage of quality assurance is it takes you across all areas of the lifecycle development and touches on all aspects of everything NASA was doing because the software went through all the cycles.

So when this position came up, it was an agency comparable to NASA, in that there were other sites associated with it, so I applied and got the job. It's been phenomenal.
Continuing to learn seems to be a priority for you. How do you make that part of your job?

I like to learn and I like the challenge -- I'm trying to read a lot of journals. IT is a field that changes constantly and you need to keep abreast of it. You can't do that in classrooms anymore. It's through talking to people that are in your field and making acquaintances with people who do your job in another agency. Because none of the people in the federal field have enough money to do what they want to do, we have to learn from each other. I sit on some committees and try to attend one or two conferences a year.
What's your budget process?

The head of our agency, administrator Linton Brooks, actually has to defend our budget before Congress. We supply him with the information he needs but he does all of the defensive. There's a lot of interaction among the people on the Hill.
How do you create an argument for him?

I always take the approach of 'Where's our greatest risk? Where's our biggest shortfall that can come back to hurt us?' It's based on that I build my justification for the money or the people. I find that when you're talking the risk, people better understand the prioritization.

You also understand that you're not going to get it all. I have to prioritize within my department as to what our highest needs are and what we see as the highest risk to the agency.
How many people are in your department?

I have 15 feds, about 100 contractors and I'm responsible for eight different sites [in addition to] the headquarters site
How do you keep them motivated?

Part of it is to show that I'm interested in them. Part of it is to recognize them as people. One of the things I say to people who work for me -- and with me -- is that family is critical. They've got to have a balance in their life. We also do fun things; we have a door decorating contest for Christmas. You try to say thank you when you can. I respect them as people, not only as people who work for me, but people who have an outside life, too.
What have you found to be your biggest challenge?

Making sure my people have the resources needed to do their jobs. I can't expect them to do things without ensuring that they have both the funds and the people to work for them.
Is there a shortage of people with top-secret government clearance?

It costs a lot of money to get a clearance, so we want to make sure we hire the right people. It's ideal if they come in with it, but nobody ever does, because everybody is always looking for people with clearances. The good ones are taken up right away.
What's your most recent initiative?

We're working on something called earned value management and it's actually a presidential initiative that all of the federal government is doing -- implementing EVM on all projects over a certain dollar amount. It's a general management technique that takes and looks at a project at how much money have you spent -- which everybody does -- but the added component has to do with where you are in the lifecycle.

So if you spent 80% of your budget, do you have 80% of the work done? It's a very good management tool to help you understand if you're on time and in budget for the amount of work that has to be accomplished.
Is there a consensus amongst your peer group of what CIOs need to pay more attention to in the future?

The fast-paced world of technology and the fast-paced problems of cyber security; those are moving very fast and our budgets never increase. That's kind of a given in the government.
Do you see yourself teaching again in the future?

In about 10 years I would like to retire and teach high school math.
With 20 years of teaching experience and four degrees under her belt, including a Ph.D. in computer science, Linda Wilbanks went back to school when she realized her students were gaining more real-world experience than she had.

She applied for a faculty fellowship at NASA Goddard Space Flight Center, and today she's the CIO of the National Nuclear Security Administration (NNSA). Wilbanks recently talked with SearchCIO.com about how she keeps learning on the job -- and how something called earned value management keeps her on track.

or process carries a certain risk and cost that I sometimes am not willing to pay.

I take this approach with business applications also. I cannot imagine a...

service goes down, my job is as much at risk as it would be if my internal email service failed.

Second, when I use IT managed service providers, the mechanics of how my...