During John Thompson's decade as CEO of Symantec, a $6 billion enterprise security company, he transformed the company from a consumer-based software publisher to a leader in Internet security, data protection, and storage management. Thompson led an effort to diversity Symantec's product portfolio through more than 20 strategic acquisitions, especially the controversial $11 billion purchase of Veritas. Revenues during Thompson's tenure increased tenfold to more than $6 billion. In October 2008, Thompson announced his early 2009 retirement from Symantec. Enterpriseleadership.org recently sat down with Thompson to discuss the strategy for growing Symantec, the challenges of executing on that strategy, and the future growth prospects for the company.

Here's what he had to say:

EL. How has the downtown in the economy affected Symantec?

JT. No company can hide from customers that must deal with challenging economic times. We aren't different in that regard. With that said, we have technologies that companies need to have now. With data volumes growing at more than 50 percent a year for the average large company, they have to secure and to manage that information. If you look at the nature of our product portfolio, we have a certain level of insulation during difficult economic times.

Our primary products include security management, storage management, and backup and recovery. We target the largest companies in the world. More than 70 percent of our business comes from corporate and government customers. The rest of our business comes from consumers around the world.

EL. In 2005, Symantec began a diversification strategy with the acquisition of Veritas. Why did you decide to acquire a storage management company?

JT. We were interested in the backup and recovery components of the Veritas portfolio. A security company tries to keep bad things from affecting an organization's network or its systems environment. Because we had seen so many attacks in 2003 and 2004, we knew we wouldn't be able to stop all of these attacks. We, however, looked at how we could help customers recover to the appropriate level of operational control when an attack does occur. As a result, recovery tools and storage management tools became an important part of our realization that our job wasn't to just keep bad traffic out, but it was to keep an organization's systems up and running. The recovery capability became a critical component of that process.

EL. What is the company's mergers and acquisition strategy?

JT. Mergers and acquisition are an integral part of our business model. We have said to investors that we'd like to spend about half of the free cash flow from operations on mergers and acquisitions. That would translate into about $800 million per year. We want to focus it around two or three important elements. One focus is to look at enhancing the effectiveness of our core businesses, such as our core anti-virus business, and our core backup business. These businesses tend to grow in the mid to high single digit range. The second focus is on enhancing elements around the core that would provide higher growth.

While backup and recovery is an important part of what we do, email archiving, for example, is a similar function, but offers growth. While backup is an important element of what we do, disk space backup and data duplication are areas of very high growth. Can we acquire our way into related or adjacent areas that act as catalysts for growth?

Our third focus is to look for areas that three or five years from now have the potential to be high growth engines for us, but also would provide high volume. We recently acquired MessageLabs, a UK company that will complement our on-premise software appliance business, but it will give us a new marketing path or route.

EL. When you talk about high growth, what figures are you aiming for?

JT. We typically look for anything that is above 20 percent growth. We said to Wall Street that we expect to grow as a company at between eight percent to 12 percent per year. Ten percent is the mid point of that. We consider anything twice that or greater to be high growth.

EL. Why hasn't Symantec adopted more of a build versus a buy strategy?

JT. We've built much of our technology. In fact, we spend about 15 percent of our revenue on research and development. While we acquire much of our stuff, the nature of the security business has been that the threats change constantly. From 1998 to 2002, venture capitalists in Silicon Valley and in Israel funded more security startups than any other type of company in the technology industry. Each of them had a unique twist on how to solve a particular problem. We aren't so smart that we have a foundry on every great idea. To that end, we want to continue to innovate on our own, but, at the same time, we also want to be open to external forces coming in. We use a model similar to open innovation. We innovate ourselves, but we're open to outside ideas, and we're also open to investing in companies where we might be able to help them move the security spectrum along.

EL. Can you describe the business process for updating the corporate strategy?

JT. It's an on-going process. I have a direct report who runs corporate strategy and business development. We go through a quarterly review of what our portfolio looks like, what things in the portfolio we should eliminate, and what things we should acquire. We're looking for acquisitions that will enhance our core, that will represent high growth, or that will reposition us for large market opportunities with healthy growth for five to 10 years. At the annual board retreat, we share our detailed views on these subjects with the board members. Each quarter, we talk to them about the performance of the organizations we've acquiring during the past 12 months, and the prospects of organizations we might consider for the next couple of quarters. We have a healthy dialog about the long-term view of what we're trying to accomplish, the performance of what we've done, and the prospects of things that could be on the horizon during the next six months.

EL. Are you looking at technologies that relate to security?

JT. Yes! We acquired Altiris, a company that does device management. The technology relates to security. For example, before you distribute software to desktops in a corporation, you need to make sure that the software has all of the appropriate patches, that the hardware reflects all of the appropriate changes, and that a process exists for cataloguing everything so you can keep track of it. When a network attack occurred in 2003, we discovered that the vector of the attack had been present in the Windows operating environment for more than six months. If we had systems management tools to update the configuration and to update the software, we could've eliminated that attack vector. Having management tools tied to our security tools represents the opposite side of the same coin. Security resides on one side, while device management, on the other side.

EL. Do you have a particular methodology you use for measuring the success of technology investments?

JT. We look at several key metrics. Is the technology relevant to what we do today? Does it fit into our core business? Can our sales team move it? Do we have synergy with either the go-to-market side or the engineering side? We look at the transaction based on revenue synergies and a growth play or cost synergies, such as consolidation. If it's a revenue play, we want to make sure that the investment enables Symantec to grow at its projected rate or better. Altiris is a good example of a high-growth company. Its growth is in the high teens. We've acquired other companies that are growing at 30 percent per year. We have been able to sustain those growth rates and to accelerate them.

EL. Have any of the companies you've acquired turned out to be bad choices?

JT. Yes! Mergers and acquisitions are a little like internal development. We've built several products that didn't work quite as we had anticipated, and we had to fix them. Likewise, we've bought one or two things that didn't work for us. This's truly an exploration. If you assume that 100 percent of your mergers and acquisitions transactions will work as planned, then, as a leader, you put yourself in a very naive position. The challenge comes when you recognize that something isn't working as you planned, and you have to decide what actions to take to correct the course that it's on. We have experience going down this road.

EL. Five years from now, will Symantec be largely a services based company?

JT. I envision software as a service or cloud-based services being a larger percentage of our revenue mix, but I don't expect it would be the predominant base of our revenues. We haven't disclosed what our internal cloud-based services represent. For example, last year, MessageLabs had $125 million in revenue. That's a small amount.

Having been in the industry for many years, I'm a bit critical of my colleagues who would argue that cloud computing is the next great thing that's going to change the world. Nothing changes as fast as the soothsayers would suggest. While I think cloud-based services or software as a service will, take on a greater proportion of how customers avail themselves of software, it won't eliminate the need for software companies in general.

EL. How are you helping organizations carry out their IT Infrastructure Library (ITIL) framework?

JT. All of our enterprise products comply with ITIL. In fact, our Altiris product will help you determine how well your enterprise complies with the ITIL framework. ITIL has capabilities around service delivery and service management. Likewise, our Altiris suite has an IT service management component.

EL. How is the piece of the managed service business doing for Symantec?

JT. It's has had good growth in the mid teens to low 20s. It's an area that will get more focus over the next year or two as corporations decide its too taxing for them to handle managing their firewalls, managing their intrusion sensors, and managing their email security infrastructure for spam and anti-fraud. It makes sense to outsource these things to a delivery expert such as us. Tough economic times like this force customers to evaluate whether or not they should managing these things themselves or they should rely on trusted experts.

EL. Does your Symantec's stock price still fluctuate whenever the media reports a major security breach?

JT. Not at all! A few years ago, chatter on the nightly news about the latest virus attack would have a corresponding impact on our consumer-installed business revenue. We've seen less visibility about broad-based attacks of late, and thus our consumer business hasn't had that external catalyst. An incident like TJ Maxx or some of the other data breaches that have occurred provide us to remind our sales team, and in turn, our customers, with our the importance of our data loss prevention technologies. The growth in data breaches prompted us to acquire a leading solution in that space by a factor or two or three. It also has great momentum

Interview conducted by Elizabeth Ferrarini at elizabethferrarini@yahoo.com

No one can deny that Jerry McElhatton has mastered many successful IT moments. During his 10 years as CIO with MasterCard International, McElhatton spearheaded a five-year, $160 million upgrade of the company's global processing system into one unified, single messaging standard. Even more impressively, he delivered this enormous undertaking on time and within the budget. The systems support more than 15,000 customers worldwide, handle more than 40 million transactions daily worth more than $1 trillion annually, and are linked to 800,000 ATMs globally. Also during his tenure, McElhatton oversaw the building of a $135 million, 52-acre campus for MasterCard's primary IT team.

In March 2005, McElhatton retired from MasterCard, where he had anywhere from 1,600 to 3,200 IT professionals under his leadership. Enterpriseleadership.org recently spoke with McElhatton about what his experiences managing an IT organization that could make or break MasterCard's success.

EL: What are you doing now?

JM: After 10 years with MasterCard, I retired to start Virtual Resources, a company that does consulting for organizations in the payments area, and for some architectural engineering firms. I also sit on the boards of directors for several technology companies, where I set up advisory committees to provide feedback on the company's products and examine what competitors are doing. I spend my free time tinkering with a massive model training collection, which my four grandchildren love. I almost forgot: I write articles for business publications, such as CIO Decisions.

EL: Now that you've retired from MasterCard, would you advise other near-retirement CIO's to go off and keep their hands in IT?

JM: Why not? I'm enjoying helping companies understand the cost benefits of technology. I've successfully gotten people to look at their cost structures, to put some best practices in place, to help them evaluate some future cost-effective architectures, and to get them to be more responsive to business needs.

EL: Looking back at the technology overhaul you implemented at MasterCard, what things really made it happen?

JM: The credit goes to my great team. The company had some very mature systems that did a nice job, but it took too long to bring new products to market. New and better technology could simplify things and reduce our infrastructure costs. My assignment included restructuring, rewriting, and redeveloping the core systems. It took five years of changes to give those systems the scalability and flexibility they needed to meet best business practices. We completed that project within the assigned budget and ahead of schedule.

EL: What were some of the best practices that were put into place?

JM: We put reusable systems code and architectures in place. When it came to databases and data warehousing, we made sure we captured the data correctly and could easily segment it. Our key members had to analyze this data to help them build their marketshare.

At MasterCard, I had the unique position of being responsible for all technology, all IT operations, and both IT security and physical security. Fraud is a big problem in the credit card business. For example, I oversaw all of the risk systems that enabled our members to report fraud to us so we could stop it. We gave them information to make them aware of certain types of fraud that were taking place or had the potential to take place. We spent a lot of time reworking those systems. We put together things that would give us an advantage in identifying some characteristics and traits of fraud.

JM: Yes, the entire security team reported to me. I was also responsible for the access control side of physical security. The entire team that guarded our campus buildings reported to me. These folks did a lot of investigations internally to make sure employees did not access unauthorized areas.

EL: What was the business model for MasterCard when you were there?

JM: Simply, we worked very closely with the business units to help them define priorities, to help them move marketshare and generate income, and to help them reduce operational expenses. As a member of the operations and policy committee, I looked at how we could leverage technology to get the biggest payback.

EL: What was your IT model at MasterCard?

JM: MasterCard's technology generates a significant amount of revenue on what's called a "quick charge." We have charges for authorization, clearing, settlement, and also charges on our risk systems. On some of the systems, we had profit and loss residing with the operations and technology group. And on the others, we had direct chargeback to the marketing group for the cost and expense of generating that revenue.

EL: Did you folks use anything like Six Sigma?

JM: It's an interesting concept that has to do with the definition of root cause analysis and definition of quality standards. Eighty-five percent of the program we used consisted of Six Sigma and the benefits associated with it.

We measured everything, and we drove staffing and quality off those numbers. In our system, we posted implementation reviews, and whenever we had a problem, we did a root cause analysis to determine where to patch the problem. So, our systems got stronger over time. The performance of MasterCard as a company became outstanding because of the work we'd done to engineer the system.

EL: How successful were you in combating fraud?

JM: It was very good. We did a lot of proactive things to put people on notice. In the credit card business, fraud often happens at the merchant location and at some of the processors. If someone doesn't follow the rules, you might do routine audits, but an IT security audit is only good for the day you do it. Someone can make a change the next day, and thus, put a hole in the system. You might not catch it until you do another audit, or you might not catch it until you have a problem. We did a lot of proactive work to identify potential fraud. We not only used our systems, but we had cooperative efforts with others, and we used their systems, so we had a significant reduction in fraud.

EL: Do you have any comments on Oracle's recent buying spree?

JM: On the one hand, Oracle will have a strong product offering. On the other hand, as with all technology mergers/acquisitions, IT departments no longer have a lot of product choice; they'll lose their ability to negotiate on price, and service levels.

EL: Are you writing a book?

JM: I've thought about it. My working title is, 101 Easy Lessons Learned the Hard Way. IT folks today have similar sets of issues and problems as their counterparts five or 10 years ago. Yes, there might be more flexible ways to solve these problems, but every generation seems to have to touch the top of the stove to see if it's hot. I have a lot of advice to give about how to avoid some of the mistakes other IT people have made in the past.

EL: What's the biggest mistake people make in climbing the career ladder?

JM: IT people are smart people, but they don't often have a sense of how to budget for projects and how to meet the deliverables. IT people often make things harder than they really are.

At MasterCard, we learned how to eat a big marshmallow without getting sick. The answer is a bite at a time. We broke down projects into very significant deliverables that we measured and monitored.

IT people have to first learn to commit to a project, and then stick to the schedule, the budget, and the deliverables.

EL: Do you think the CIO role should be rotational?

JM: Some companies might be better off if they went in that direction. If someone has been a CIO for 10 or more years, then that person might be stuck in that role. Let me tell you what helped me at MasterCard. For example, at one time I was assigned to run the process change team. We took more than $100 million out of the systems by leveraging technology, and leveraging people's skillsets. This experience helped me to grow closer to the business units. I had some other great business opportunities.

If you want to cultivate stronger IT professionals, then assign them both business problems and technology problems. This process enables IT professionals to gain a more realistic view of how the business uses technology, and how they should use it to solve problems.

EL: Have you read Nicholas Carr's book, Does IT Matter, or his Harvard Business Review article, "IT Doesn't Matter?"

JM: I've read the book. I've been in businesses where technology has made a big difference. At MasterCard, we leveraged a lot of technology to get good business results. Carr perceives technology as a commodity -- spending a lot of money on IT doesn't necessarily translate to creating competitive differential. For example, if an IT department is late with deliverables, then the company can loose its competitive edge. At MasterCard, we won a lot of new business by being the first to deliver new, working systems, and to continue to enhance those systems. The other guys had a hard time catching up with us.

--

Additional Reading - Sponsor Link:
Managing the Business of IT: Maximizing the Power of Service Resource Planning, the Next Step in Business Service Management

Elizabeth M. Ferrarini is an IT consultant from Boston, Massachusetts. Reach her at elizabethferrarini@yahoo.com.

by Deb Radcliff

Part 1  |  Part 2  |  Part  3

Smart devices have become the latest attack vector for online criminals, putting intellectual property, regulated and personal financial information stored on them at risk. In this first of a three-part article, author Deb Radcliff explores these new attack vectors into the enterprise.

Dozens of viruses, worms, and Trojans have been written against smart phones and pocket PCs since 2004. And even though most of these are proof-of-concept and nuisance malware, experts are warning of more serious crimes to come.

More criminal elements are already stealing identities and other personal and private information of value in countries where Symbian-based mobile phones are being used as money, in business collaboration, and in other valuable e-commerce applications, says Danny de Temmerman, head of cybercrime and security for the European Commission's Directorate General for Justice, Freedom, and Security. While speaking on a cybercrime panel at the RSA Security Conference in February, he also said that crimes over cellular phones have now become a top law enforcement priority in Europe.

"We're seeing fraud, phishing, spam, spyware, and adware all over these smart phones in countries where phones hold information that could be monetized," adds Vincent Weafer, director of operations at Symantec's Security Response Center, which sifts millions of spam messages per day through its global content scanning systems. "And in India, they're real concerned about pedophiles getting to their kids through their smart devices."

Even in the U.S., today's smart phone malware poses more than just a nuisance. For example, there are real costs to enterprises that issue smart, and feature-rich devices being targeted by malware. For example, skyrocketing phone bills when Mosquitos malware enter company-issued smart devices through games and start messaging expensive toll numbers. Other malware, such as the RedBrowser Trojan, repetitively ring up $5 - $6 SMS calls. And Commwarrior blasts millions of MMS text-based spam messages, also wracking up huge telecommunications bills.

Indirect costs also abound. Consider the lost revenues when productive road warriors lose their customer data and contact lists because a worm turned their phones into useless "bricks". Such worms can already kill reboot (Fontal.A), crash the operating system (Locknut), and drop the operating system and other critical applications altogether (Skulls). There's also the cost of cleaning up the network when an infected smart phone synchs to a PC or connects to the network through the VPN.

Fortunately, there's also more security around U.S.-based smart phones, particularly in closed carrier networks where phones are issued and maintained by the network operators. But there's much room for improvement, particularly in developing standards around device authentication, application integrity, and data protection on the handset. And, as with PCs, users -- including the enterprise customers -- must do their part to avoid malware, spam, and fraudsters in the first place.

A Safer Gateway

Ask Verizon Wireless, and you'll get an earful about how the risks are blown out of proportion by vendors wanting to sell security on the handset. It's all in the network, says Jeffrey Nelson, Verizon Wireless Spokesman, echoing Verizon's marketing message.

His biggest beef with such dire portrayal of crimes to come to the U.S., he says, is that carrier networks have more control over their phones than they do in the U.S., where most phones are sold through closed-carrier networks, meaning carriers sell the phone and the service bundled together. This way, network operators can control the phones and the applications allowed on them.

"There's a huge difference in risk between the U.S. and Europe and Asia," Nelson adds. "In the United States, people buy wireless service from a company, while in Europe and Asia, you buy a phone you like, and then get service for it, then buy a carrier service. Then you slip in a SIM card, and walk into this dangerous, unprotected world."

With more control, carriers can lock down vulnerable applications like Bluetooth and manage downloads somewhat by, at the very least, working off a whitelist of approved vendors, and denying the rest.

In addition, any carrier network worth its salt is already filtering out malicious code and unwanted spam entering through their messaging and e-mail gateways, he continues. They should also be filtering content from loading directly off the Internet. For example, Nortel Networks is using Websense to block damaging and unwanted content from getting onto browsers from malicious Web sites.

There are other reasons we've not seen as much malicious activity in the U.S. as we have overseas, say experts. For starters, the U.S. has been slow to standardize on a single operating system; whereas Europe, Asia, and other heavy-use regions have standardized on Symbian. So, by defaut, Symbian has become the operating system to attack, says Thomas Longstaff, deputy director of technology, Network Systems Survivability for Carnegie Mellon's Software Engineering Institute.

Another reason is slower adoption of smart O/S-, and browser-enabled phones in the U.S., which currently make up12 percent of North America's cellular phone user base, according to the Yankee Group. But, by 2009, that number will rise to 46 percent. And, 87 percent of all U.S. cellular phones in circulation are already feature rich, according to Yankee. Where there are new features, there are also new vulnerabilities.

--

Deb Radcliff is an award-winning freelance writer, educator and speaker based in Northern California. She's been covering online crime and security ever since working as researcher on a book about infamous hacker, Kevin Mitnick back in 1995.

by Tom Field

While CIOs have faced flat, to slow growth in their annual budgets, the same cannot be said of business expectations when it comes to innovative use of IT.

As a result, CIOs face this challenge: How to reduce costs while  simultaneously using IT to drive competitive advantage. As CIO magazine's fifth annual State of the CIO survey reveals, the best executives have realized that simple cost-cutting won't work. Technology innovation is a team sport, and it demands strong partnerships with business decision makers.

The survey asked nearly 100 senior CIOs for their thoughts on how to implement IT-led innovation throughout the company. Fifty-nine percent of them consider innovation a significant aspect of their job, but they also recognize that no executive is an island. More than one-third say that innovation initiatives are best led by a joint team made up of the CIO and other business leaders, and 28 percent say that innovative ideas best spring from collaboration and brainstorming with business-side peers. If the ideas and work are shared, so should be the responsibility as well: 42 percent of the respondents think that IT and the business units should share accountability for the results of their labors.

How much of your roll is concerned with innovation?

Where do innovative ideas come from?

Who leads innovation initiatives?

Who is accountable for innovation results?

by Craig S. Mullins

Imagine facing the prospect of a large-scale downsizing. Not the most enjoyable thing to think about, but not unrealistic either in today's business climate where "doing more with less" and optimizing ROI are common practices. So, you grab the company org chart and the latest employee reviews, and try to come up with a plan that minimizes impact on the business. You review the data and earmark for dismissal the poor performers and those employees who do not seem to be key parts of the most profitable business lines.

But is this approach optimal? Perhaps not. What you see on the company's organizational chart does not accurately depict how things actually work in your company. There is an underlying social infrastructure that exists in most organizations. It is informal, but functionally powerful. And rarely is it evident just how critical this informal network is until a piece of it is removed.

Consider our downsizing scenario: What would be the impact of laying off a critical component of the informal network? Even if your corporate policy manuals outline standard operating procedures, can you be sure that they are being followed? In many corporations, it's not uncommon that, over time, the informal employee network takes over tasks, gets the work done appropriately and on time. But most executives do not understand how this informal network operates in their company. So, they do not typically understand how information is flowing, who picks up their requests, and who doesn't. Clearly, a social network, operating "under the radar" of the official organization chart, can impact business processes.

"Technically, a social network is the set of social relations that connect people and or groups, such as friendship or advice giving," says Dr. Kathleen Carley, of the Institute for Software Research Department in the School of Computer Science at Carnegie Mellon University in Pittsburgh, PA. Dr. Carley is the Director of CASOS, the Center for  Computational Analysis of Social and Organizational Systems.

CASOS is a university-wide interdisciplinary center that brings together network analysis, computer science, and organization science. By combining computational and social network techniques, CASOS works to develop a better understanding of the fundamental principles of organizing, coordinating, managing and destabilizing systems of intelligent adaptive agents engaged in real tasks at the team, organizational, or social level. In other words, CASOS works to better understand the way things actually work and how work gets done in the real world.

Social Networks and Social Network Analysis

Basically, a social network is a system composed of multiple elements related in some way. Each element in the network may or may not have a relationship with the other elements.

The word "social" is used to define "social networks" because the most common type of element in the network is a person. However, social networks need not be composed entirely of relationships between people, but can be made up of anything that can have a relationship with something else. For example, social networks have been defined for trade patterns in cities and proteins in the human body.

The term "social network analysis" is used to refer to the set of graph-theory based algorithms applied to any network, preferably networks that include humans or groups as at least some of the nodes. Traditionally, managers look at the attributes of the people (individual elements of the network) they manage. Social network analysis looks at the relations between the elements. This is a significant change.

Consider, for example, conducting a survey of your organization in which everyone is asked: "Who are the people you are most likely to discuss technical problems with?" and "Who are the people you are most likely to go out with for lunch or after work for a drink?." The results of these two questions will not likely be the same. But both help create useful social network maps.

Social network analysis is the process of collecting data, organizing it in useful ways, and examining the network structure to understand its influence on real-world events. It is possible to compare the structure of a healthy organization to an unhealthy one, or of a successful startup to an unsuccessful one.

A manager with access to the social network mappings within the organization becomes empowered to view the operations of the company with a clearer perspective and understanding of how things are actually happening. Social network analysis can enable management to identify emergent groups, potential areas of information blockage, and other key actors within the organization who can effect change.

Consider, for example, the employees who are well-respected as technical gurus, or founts of knowledge on a particular aspect of the company's business. Every company has a few such employees that everyone else relies upon. It would be to management's benefit, first of all, to know who these gurus are, and secondly, to be able to leverage them and their network to successfully launch new initiatives and practices. A new initiative can have a much better chance of succeeding when it is being championed by the leaders -- that is, the gurus -- who already have the trust of the organization.

Dr. Carley notes that CASOS has developed a tool, named ORA, to help provide management with information on social networks. When fed the appropriate data, the tool can deliver a management report with the pertinent social network information to the business executive.

An interesting application of social network analysis being conducted by CASOS is the investigative research of e-mail from Enron Corporation. The e-mail being reviewed is voluminous in that it covers a 3-and-a-half-year period. The data contains a large amount of information on interaction, communication, knowledge, cognition, resources, tasks, and relationships on an individual and group level in Enron. According to Dr. Carley, the analysis shows dramatic shifts in the social networks in response to corporate events such as change in CEO, president, and so on. Enron's social network was used to pass information, reduce concerns, and promote the adoption of ideas.

Crossing Organizational Boundaries

It is also possible for companies to look at the inter-organizational networks among companies or the social network of an individual, such as a CEO, that extends across multiple organizations. In such cases, the CEO can use his social network to vet ideas and do information gathering to reduce risk before making major decisions.

A better understanding of inter-organizational networks can be critical for up-and-coming companies as it helps them better position themselves relative to their competitors. Dr. Carley notes that many companies actively build the network of relations with those companies whom their competitors are also linked to. Highly influential companies are often key nodes in the inter-organizational network. For example, Microsoft would have a higher level of connections to other companies than its smaller competitors. By growing these links, large influential companies can become, effectively, network monopolists and serve to control the flow of information in these inter-organizational networks.

Inter-organizational networking is useful at the personal level, too. The concept of social networks has moved online, such as in the example provided by LinkedIn. LinkedIn is a popular online service that facilitates business-oriented connections. Basically, LinkedIn makes it possible to track your own, personal social network. By keeping your contact information up-to-date, and inviting your trusted associates to join and keep their information current, LinkedIn enables you to easily manage your social network - and to take advantage of others'. Imagine the power of being able to quickly and easily interact with all of your historical business contacts and to ask them to put you in contact with the influential contacts in their social networks.

Taking it Further with Meta-networks

In today's complex business environment, to address practical problems, we need to move beyond social networks to consider the meta-network context. That is, we need to consider the relations of people to people, knowledge, tasks, and so on.

A business executive that can move beyond just information on the connections among personnel to consider knowledge and tasks as well opens up avenues for additional understanding. This additional information can help the executive identify hidden competencies and emergent leaders, as well as helping to put together new teams. Moreover, this information provides new guidance and help for the human resources department to do better personnel management and identify points where training could be beneficial. Essentially, it enables more adaptive behaviors to be implemented.

What About Personal Privacy?

Of course, the practice of social network analysis can open up issues of personal privacy and companies will have to balance the gain of such study against its potential pitfalls.

One such pitfall is perception. The informal nature of a social network can seem to become more formal if it is used by management to further its goals. If staff becomes aware that management is analyzing their "social" network to further business goals it may be perceived as an invasion of privacy.

And what about the gurus who, once identified, may become inundated with additional work? Care must be taken to balance the opportunities for leveraging a social network against a potential backlash of disgruntled employees believing they may have been taken advantage of.

A service such as LinkedIn is voluntary. Subscribers choose to use the service and each time an invitation is sent the receiver can choose to accept or decline the invitation. As such, this opt-in approach can help to alleviate concerns of intrusions on personal privacy.

Of course, sometimes privacy is less of an issue. When the data is publicly available privacy is not usually a big concern, although some may still have issues with the mining of large volumes of data. When privacy is an issue, names and attributes can be anonymized. As Dr. Carley points out, "sometimes, it is beneficial to look at relationships in terms of roles - doctor to nurse to pharmacist, rather then in terms of people's names. This role based approach also helps to alleviate potential privacy concerns."

At times, the results of social network analysis can be useful in terms of summary or aggregated statistics. For example, it may be helpful to know how strongly a group is connected or how complex of a task environment they face rather than the details on specific individuals. In general, such summary data is useful for comparing different divisions or branches in the same company.

For the field as a whole, as for many other scientific fields, data-privacy is a double-edged sword. On the one hand, discovering new ways of de-identifying data, yet preserving the statistical properties, is leading to important scientific advances. On the other hand, concerns about privacy can get so carried away that important data is not gathered and analyzed and policy makers are making important decisions in the dark or with the wrong data. "Overall, there are many key questions that need to be answered in this way," points out Dr. Carley, "and we need to develop new tools for de-identifying and re-identifying nodes and relations in networks so as to ensure appropriate and meaningful privacy levels that do not overly compromise the use of network science to inform policy and provide goods and services to the public."

The Bottom Line

It can be just as, if not more important to understand the informal social fabric of your company than the official organization. The study of social and organizational systems can open up important insight for businesses in terms of how things really get done -- and the implications this has on running the business. This field can offer busy executives additional insight into their business and how it functions.

--

Craig Mullins is an independent consultant and president of Mullins Consulting, Inc. Craig has extensive experience in the field of database management having worked as an application developer, a DBA, and an instructor with multiple database management systems including DB2, Sybase, and SQL Server. Craig is also the author of the DB2 Developer's Guide, the  industry-leading book on DB2 for z/OS, and Database Administration:  Practices and Procedures, the industry's only book on heterogeneous DBA  procedures. You can contact Craig via his web site at http://www.craigsmullins.com.

What do Tiger Wood's swing and ITIL have in common? The question is no joke! Both Tiger Wood's swing and ITIL are best practices.

Here's the analogy:

When a beginner golfer picks up the clubs for the first time, the instructor doesn't say "keep hitting the ball till you figure out your swing?" Instead, they recommend one of two common grips, basic stance, and straight left arm. These are best practices. In other words, they provide a way to do something based on what is commonly viewed as the best way to do it. A best practice is simply a way of doing something, based on how others have successfully done it before, that helps you quickly achieve a level of competence.

Is the best practice the end goal? No. Best practice provides a baseline, or starting point. It's a way to quickly achieve results, that you can then build on and adapt to your unique needs. In golf, many players copy Tiger Wood's swing to improve their game. But there is only one Tiger Woods! If you are shorter, less flexible, weaker, or less practiced than Tiger (as most of us are), then you need to adapt Tiger's swing to your unique requirements.

by Rod Amis

The issue of IT governance has become a concern for many CIOs/CTOs these days as emphasis has switched from the technologies themselves to how they bring greater value to the overall business. As one professional commented, you don't show value by talking about how many transactions you processed per hour; you talk about how much money you made the business last night. Business leaders in IT are less concerned about showing what's "under the hood" than they are about demonstrating the benefit of getting to the destination. One tool that is being explored to bring value is CobiT.

CobiT (Control Objectives for Information and related Technology), the international open standard of good practice for IT governance, security, and control, is now available for download at the Information Systems Audit and Control  Association (ISACA) Web site. This interactive and customizable release of CobiT is made available by the IT Governance Institute (ITGI). In this article, we'll explore the questions:

• What is CobiT?
• Is CobiT better than other governance frameworks?
• What benefits does CobiT bring to the enterprise?

What IS CobiT?

Let's begin with a bit of history. "ISACA got its start in 1967, when a small group of individuals with similar jobs -- auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations - sat down to discuss the need for a centralized source of information and guidance in the field. In 1969, the group formalized, incorporating as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field," we learn at the ISACA Web site.

In pursuit of this mission and parallel to the IT Infrastructure Library (ITIL) project begun by the British Government, the auditors at ISACA -- as the organization expanded internationally -- were looking for control mechanisms that could bring to the business the value of controls that provided verifiable compliance and governance data.

In essence, CobiT incorporates the control objectives observed by enterprises in compliance with Sarbanes-Oxley and other international standards, and allows for coordination between control requirements, technical issues, and business risks. CobiT's tool sets allow for practices that the ITGI believes incorporate or deepen the international IT Guidance supplied by ITIL, ISO/IEC 17799, ISO/IEC 13335, ISO/IEC 15408, TickIT, NIST and COSO.

In structure, CobiT features 34 high-level control objectives and 318 detailed control objectives that keep IT's operations in line with the business goals of maximizing security and profitability and minimizing risks.

In a February, 2005  interview with IT Business Edge, Malcolm Fry, an ITIL expert, provides this overview: "I'm going to ask you to draw yourself a graphic to explain how they all link together as a cohesive unit. If you draw two boxes next to each other and in the left hand one you write the ITIL, for the IT Infrastructure Library, and in the other, write TQM --Total Quality Management -- in other words, that's the business. The ITIL is basically running the day-to-day operations of IT. Draw a slighter bigger box around those two boxes and across the top of it write CobiT. What CobiT does is it brings in check points, security points, so in other words, in a certain point in the procedure you can't go past here unless you've got authority or proof or you meet some kind of criteria. So when you're implementing ITIL to support the corporate TQM, then CobiT you will implement at the same time to put the control points in. So ITIL is about processes, CobiT is about control points …"

Is CobiT Better than Other IT Governance Frameworks?

First a word of caution: No single framework of IT governance will fit the needs or the business objectives of every organization. Each business must look at its own challenges, goals, and objectives, and then evaluate the available governance frameworks to see which features of each best helps to meet those goals. Each of the three most recommended frameworks brings its own strengths to the business circumstances.

As Mr. Fry suggests in his response, oftentimes an array of frameworks, tailored to the particular needs of your enterprise is the best approach. While CobiT's strength is most pronounced in the area of controls and metrics, ITIL is strong on best practices and processes, and ISO is strong on security.

It is important to remember that each of these frameworks is the result of the work of literally hundreds of businesses and IT professional organizations internationally, over a period of decades. Each complies with international standards, so an array of the features of all three may be best for your enterprise.

"For the last five years, I have worked with IT organizations across the U.S. as a principal consultant, helping them identify key opportunities for best practice improvements in their change, and migration, processes. In those areas, CobiT provides some clear control guidelines that can be applied appropriately to meet a given organization's needs, based on their business model," says Mary McMichael, Principal Consultant for Diversified Software  Systems.

"When sitting down with IT leaders from various disciplines in an organization, CobiT provides an objective set of guidelines with which to guide a discussion about the specific risks and opportunities in that enterprise, while avoiding some of the potential political potholes that can befall us in this type of discussion," she continues. "It can become a true business needs definition discussion rather than a criticism of any one organizational group, and provide a roadmap to prioritize improvement options."

What Benefits does CobiT Bring to the Enterprise?

The most apparent benefits that the CobiT framework can bring to the table are time and money. Because the documentation -- the accumulated experience of hundreds of IT professionals, auditors and business managers -- is made immediately available to your enterprise at no cost at the ISACA.org Web site, you immediately avoided having to invest in developing these practices independently. And, instead of addressing your control and auditing concerns on an ad hoc basis, you can bring this knowledge and complete framework to the fingertips of your management team immediately. With all this information and milestones set out for you and your staff, the possibilities of confusion or miscommunication about goals you're trying to achieve with CobiT are minimized, which also brings greater efficiency.

The third important benefit offered by CobiT is that it already complies with international standards and Sarbanes-Oxley. That means that it is not only a valuable tool for your internal management team, but can also be used by auditors and others outside your enterprise to evaluate your success in implementing control structures.

Finally, the CobiT framework allows you to share the knowledge you gain with other organizations, in users' groups, in professional journals or books, and via the Web. Sharing solutions and challenges with others can be a powerful engine, driving even more new ideas and solutions from your team.

Emphasis on Compliance

As an internationally developed and accepted framework of IT governance, CobiT shines in the areas of controls and auditing. It was developed by the IT Governance Institute and is freely available in an interactive, Web-based format from ISACA.org. It comprises years of experience in controls and security issues devised by hundreds of IT professionals, all to ensure that your organization is compliant with internationally accepted standards.

Since the shadow of the Enron scandal (which lead directly to Sarbanes-Oxley) fell over the vast arena of business reporting, and what IT can bring to risk management, control, and the audit trail, professionals have taken a closer look at tools that allow for verifiable, reliable reporting as well as controls for the enterprise. CobiT is increasingly coming on many CIOs' radar as a powerful compliance, and best practices tool, and another means by which IT brings value to the business (and can show it).

For more information about CobiT, check out the following resources:

• IT Governance Institute
• ISACA.org
• COSO & CobiT  Center

--

Rod Amis is a freelance technology writer based in North Carolina.  He has written for various publications on- and offline, including IT Manager's Journal, NewsForge, Silicon.com and Access Internet Magazine.  He is also the author of two books and was a newspaper journalist before going completely digital.