Information-security policies are getting people's attention far outside the IT department
Everyone talks about "increased awareness" of security since Sept. 11. Here's what increased awareness looks like.
Mike Engle, VP of information security at investment bank Lehman Brothers Holdings Inc., sent a pair of interns on a mission to ferret out unauthorized wireless access points that create potential vulnerabilities to the IT network's security. So what was the reaction when two unknown faces wandered by the desks of traders and analysts, taking notes on a notebook computer? A flurry of calls to security guards and a few direct confrontations. "They had people on every floor jumping up," Engle says. "The interns almost got jacked up on one floor."
Before Sept. 11, employees probably wouldn't have been so quick to notice a strange face and take action. The biggest change at many companies is that a lot more people have come to see security as a component of their job responsibilities. Half of companies put a greater emphasis on information security and physical security since Sept. 11, according to an InformationWeek Research survey of more than 1,500 business-technology managers. Fifty percent say they've made significant changes to their strategies or policies related to information security. Engle says that now, when a Lehman Brothers department creates a new application, it brings in someone from the security team at the onset to head off potential problems. "In the old days, we would have been scrambling after the changes to the network," he says.
Late last year, FedEx Corp. created the job of chief information security officer, a move it was considering before Sept. 11 and that jumped up the priority list after the attacks. FedEx has always been serious about protecting customer information, but the attacks raised the profile of security issues throughout the company. "We've propelled it from the bowels to the boardroom of the organization in the last eight months," says David Zanca, the new chief information security officer and a 10-year FedEx veteran.
The security officer at a major paper-goods producer says that before Sept. 11, his company would only periodically scan for weaknesses in networks and applications that could allow a security breach. "Now we scan every quarter, internally and externally. We're staying much more on top of things," says the executive, who asked not to be identified.
Companies once keen to put loads of information on their Web sites now are more careful. Burlington Northern Santa Fe Corp. removed its rail-freight schedules from the Web. The railroad had a good reason for posting such information--train buffs and hobbyists love that kind of data and aren't happy it's gone--but the company decided post-Sept. 11 that those details made it too easy to track the locations of its trains. The government has been particularly diligent about removing information, such as building floor plans, VIP itineraries, and the locations of sensitive facilities, that could make a terrorist's task easier, Gartner analyst John Pescatore says. "It was crazy having this information available on the Web," he says, "and pulling it offline is a prudent thing to do."
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.