Can IT projects and government requirements be aligned to benefit both security and business goals?
Executives usually don't look to the government for help with business-technology goals. But some have found surprising synergies between the Bush administration's homeland-defense strategy and their own efforts, even though they worry about the costs of government mandates.
Continental Airlines Inc. in Houston began developing an electronic system to match passengers with their bags in the spring of last year, months before the passage of the Transportation Security Act in November. Starting this September, a ramp employee will use a handheld device to scan a checked bag's bar-coded tag, then the worker will wait to place the bag on the plane until its owner's ticket, which contains a matching bar code, is scanned at the boarding gate.
Security is needed but so is common sense when it comes to how airlines spend their money, says Continental CIO and senior VP Wejman.
Continental expects to recoup its $29 million investment within 18 months by cutting costs associated with lost luggage. Conveniently, the project also fulfills one of the airline's obligations under the Transportation Security Act, which was designed to thwart terrorists who might check luggage containing a bomb without boarding the plane. "That's the art of my job: to ... meet security requirements but also to make a return on investment for the airline," says Janet Wejman, Continental's CIO and senior VP.
President Bush's domestic security strategy, unveiled last week, puts corporate America on the front line in defending the country against future attacks that might target physical assets or information systems. The plan, Bush says, lays out lines of authority and responsibility for federal and local government officials and business leaders. Executives welcomed Bush's overall direction but say they're concerned about costs and don't want the government to go too far in mandating specific technologies.
Since Sept. 11, the level of cooperation between financial-services companies and government agencies has been unprecedented, says Catherine Allen, CEO of BITs, the technology group for the Financial Services Roundtable, a trade association. The Treasury Department last week proposed an electronic Social Security number verification system that financial institutions could use to check the validity of numbers used to open accounts, a topic of discussion between financial companies and the government for months. Such a move might help the government find terrorists laundering money or opening accounts under false identities, while also helping financial institutions, credit-card issuers, and retailers that lose millions of dollars a year to identity theft and credit-card fraud. "The better we can verify the truth of who the customer is, the more benefits there are to the individual consumer as well as all of the institutions involved," Allen says.
Bush's strategy calls for the creation of a single office in the Department of Homeland Security to develop a plan to inventory and protect the nation's critical telecom, banking, energy, and transportation infrastructure, which the administration says is 85% owned and operated by the private sector. Safeguarding IT and network systems is a central part of that effort. Under the plan, the public and private sectors will conduct joint research to create and improve security technologies, such as biometric identification. Further details will be released by year's end, including a plan to improve cybersecurity that's expected Sept. 19, but they won't be binding on businesses until Congress makes its own changes and enacts legislation.
Some business-technology executives like Bush's plan to create a central office that would work with the private sector to exchange threat information because, they say, it bolsters their own efforts. "We'd like to develop a relationship to share and understand what threats face our company," says Michael Assante, chief information security officer at American Electric Power Co. in Columbus, Ohio. That's particularly important to the electricity industry, which supports other critical infrastructures. "Clearly, what has been missing has been an overarching strategy to tackle this issue," he says.
The new office within Homeland Security ideally will serve as a facilitator of best practices to help companies secure their IT networks, says Dennis Eccleston, CIO at the New York Power Authority. He doesn't expect the agency to come up with software or hardware to make the authority, which ties together controls at its 21 plants with private networks linked to the Internet, less susceptible to attack. "But they can make us aware of what's happening elsewhere in the world so we can take the proper action," Eccleston says.
Trouble is, businesses face escalating security costs from self-imposed projects and new government mandates. The White House Council of Economic Advisers says businesses will spend 50% to 100% more a year than the $55 billion they now spend on security services and technology. Unless government mandates are aligned with business goals, that's a heavy burden for companies struggling out of recession.
That's true for the hard-hit airline industry, which is cutting fares to lure customers. Last week, American, Continental, Delta, Northwest, and US Airways all reported steep losses. "There's no argument that we need security," Wejman says. "But we want common sense about where we're spending our dollars and our time." She points to the possible use of biometrics to identify trusted airline and airport employees as a sensible security effort and one on which the government and airlines are working. Trusted workers wouldn't have to go through the same security screening as passengers, and only authorized individuals would have access to sensitive areas. Another government initiative, one that requires airlines to use X-ray technology to screen checked baggage, is less sensible: the technology has a 20% to 30% false-positive rate. "It's all about using your resources efficiently," Wejman says.
As the government calls on businesses to help in the war on terror, it has to keep one thing in mind, says Wejman: "Let's make sure the technology is successful before you ask the public to buy into it."
-- with Eric Chabrow, Eileen Colkin, and Robin Gareiss
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.