As the CIO of a Fortune 1000 company, David Thompson has more
resources than most technology managers. And given that the company
Thompson works for is Symantec Corp., the security and data
protection expertise at his fingertips is the envy of most of his
peers.
But for all of his advantages, Thompson still faces many of the
same everyday challenges and concerns that other CIOs and CSOs
grapple with. In an interview over lunch recently, Thompson said
that he has spent much of his time since joining the company in
February on finishing the technology integration with the former
Veritas Software Corp., which Symantec acquired in late 2004.
But, with that project nearly complete, he has a number of large
initiatives looming on the horizon.
"The back-office infrastructure has merged and right now I'm
working on data center consolidation. That's typically the last
thing you can get to," said Thompson. "We're shutting down some
labs and consolidating data centers now through the end of the
year."
Virtualization's unknowns
As part of that project, Thompson is beginning to invest in
virtualization
technology as a way to save money on servers and reduce energy
consumption in the data centers, both of which are key concerns for
Symantec CEO John Thompson. The rising cost of power in the last
year or two has coincided with wider deployment of dual-core
servers, which require more power and throw out more heat than
traditional single-core machines.
This confluence of events has led to a dramatic increase in the
amount of money required to run a typical data center. As a result,
many enterprises have begun trimming costs by using virtual
machines to reduce the number of physical servers needed in a data
center.
Thompson sees virtualization as a key part of Symantec's
infrastructure going forward.
"Virtualization hasn't been a part of it in the past, but we're
doing that now," he said. "We're starting to invest now, preparing
an architectural plan. It'll not only save us a ton of money, but
also increase productivity and that's the kind of innovation we
have to do in IT."
But along with the many advantages virtual machines can deliver,
they also bring questions about their security. Some researchers
have raised concerns about the safety of running multiple virtual
machines on a given server, saying that it's difficult to monitor
and understand the interactions among the virtual machines, largely
because they are not tied directly to the hardware in the way that
Windows or other operating systems are. Developer or testers can
quickly bring up a virtual machine on a test box without notifying
IT, leading to other potential security issues.
But Thompson said Symantec has developed a policy that requires
all virtual machines to be of a standard configuration and to be
deployed by IT.
"In our training environment for customers, in the past we had
servers all over the country. We brought that back into the central
environment and we use a certified configuration," Thompson said.
"The image has been pen-tested so the environment is secure out of
the box.
"If you don't start with the right image that has all of the
patches, et cetera, it's a problem," he added. "All the standard
security practices around the infrastructure apply to the boxes
that host virtual machines. The team is focused on that master
image."
No leeway, even for execs
Like many other IT pros, Thompson also is struggling with the
evolving problem of endpoint control. Symantec, like most large
organizations, has employees all over the world, and bringing all
of the various infrastructures from its many acquisitions in line
with Symantec's corporate standards is a constant challenge.
Thompson has been keeping an eye on the various
network access control (NAC) architectures out there, but for
the time being is relying on strict policies and enforcement to
keep mobile devices secure.
Foremost among those policies, he said, is that all devices –
including mobile devices – must to belong to Symantec and must have
its software in order to the corporate network. It's a stringent
policy to which even the company's higher-ups are still
adapting.
"We had one executive call and complain and I had to say
'Sorry.' Mobile devices are an opportunity for encryption on the
device and that's something we're looking at," Thompson said. "It
is somewhat of a challenge, hard to administer. But we still have
issues like any other large corporation."
Thompson, who joined Symantec after several years as CIO at
Oracle Corp. and PeopleSoft Inc., has been through a number of
mergers and acquisitions in his career, which is one of the reasons
he's now at Symantec. The Cupertino, Calif., security giant has
been perhaps the most active shopper in the infosec industry's most
recent round of consolidation, and Thompson's experience stitching
together the disparate infrastructures of a number of organizations
is coming in handy.
One of the key lessons he's learned is to keep in mind that
security should help people do their jobs, not prevent them from
getting work done.
"Clients would rather not have to interact with the support
person if they don't have to. We have a great deal of opportunity
to have better online interaction with clients, with more self-help
and self-healing," Thompson said. "My techies want to do things
directly and that's where we continue to need to beef up our
capabilities. [Instant messaging] is an opportunity for us to help,
with IM Logic. If we can secure the [IM communications] channel,
that's a great opportunity.
"A lot of my peers have opted not to allow IM at all," he added.
"That's an opportunity for us to help, to help CIOs open that
boundary because sales and support want to be able to
communicate."