Under Pressure: Five Issues Challenging Every CIO

As enterprise spending rebounds, CIOs aren't quite breathing sighs of relief. In today's enterprise world, technology heads are faced with increasing pressure to comply with government regulations while securing their enterprises to the utmost degree and, of course, achieving efficiencies and cost savings.

With these demanding environments and growing expectations, IT investment decisions are becoming more challenging for enterprise CIOs. From new projects to years-long initiatives and big IT decisions that have yet to be made, VARBusiness talks to five enterprise CIOs about how they approach security, service-oriented architectures (SOAs), outsourcing, storage and regulatory compliance. Their stories hold lessons for the VARs and vendors that serve them.

Keeping Security ShipShape

More than ever, enterprises are concerned with the security of their IT infrastructures. At Royal Caribbean International, the world's second-largest cruise line, maintaining the integrity of its operating systems, customer data and financial records are absolute necessities in keeping its 19 luxury liners steaming.

"Security is a little more impactful in our industry," says Mike Sutten, the Miami-based company's CIO. As with all publicly traded enterprises, Royal Caribbean is subject to myriad regulations, such as Sarbanes-Oxley, and industry standards, such as the VISA Cardholder Security Program. The $3.8 billion travel company has invested heavily in custom systems that safeguard its systems and data, as well as point solutions that, when integrated, provide synergistic controls over its IT operations.

"There's nothing in our security program that we didn't want to do or get done," Sutten says. "Regulations gave us the imperative to get it down by a certain date."

Since the LoveLetter virus of 2000 that marked the era of devastating global, self-replicating malicious software, enterprises have invested in numerous forms of perimeter and internal security technologies. The terrorist attacks of 9/11, the persistent hacker threat and the chronic identity-theft cases have reinforced the need for security. Vendors have trumpeted point solutions--hardware and software--that fill different pieces of the security puzzle.

During the past 18 months, vendors such as Cisco Systems, Check Point Software Technologies, Juniper Networks, McAfee, Microsoft and Symantec have moved toward the "one-stop shop," offering complementary products that provide comprehensive security. Rather than having an intrusion-prevention system, firewall, VPN, access control (endpoint security) and antivirus software that operate through different management systems, these vendors have begun pushing holistic systems--one box, many applications or stand-alone applications that can be easily integrated with other apps.

Enterprises say they want simplified security, or what some call enterprise risk management (ERM) or unified threat management (UTM) systems. From a single console, they can view, manage and respond to numerous known and unknown threats. The goal of these integrated systems is to provide enterprises with greater efficiency in responding to known threats--internal and external--and greater effectiveness in identifying new threats.

The problem, Sutten notes, is the holistic security system remains nonexistent. Enterprises, nonetheless, say they want one-stop shopping, since that would provide lower total cost of ownership and potentially bring higher ROI. But the lack of truly integrated systems forces enterprises to continue buying and integrating best-of-breed solutions.

"We haven't seen one system that we've liked that provides comprehensive security," Sutten says. "We use different tools; no one has come in with a sweeping tool."

Like most enterprises, Royal Caribbean is mum about its security infrastructure and build-out plans. But, according to analyst firm Gartner, enterprises in the coming year will devote more budget and resources to network-access-control systems (such as Cisco's and Juniper's self-defending network schemes), intrusion-prevention (such as 3Com/TippingPoint's UnityOne products), identity and access-management systems (such as systems by Oracle, RSA Security, Novell, Microsoft and Computer Associates) and vulnerability-management (such as McAfee's Foundstone product line).

Because security remains a patchwork of point solutions, enterprises will look to channel providers to provide expert advice on building and integrating products into comprehensive defense schemes. By some estimates, the global security market is projected to grow from $20 billion this year to more than $45 billion by 2008, the bulk of which will be spent on professional services, maintenance and support.

Starwood Checks Into SoA

Tom Conophy, CTO at White Plains, N.Y.-based Starwood Hotels and Resorts Worldwide, jokes openly about having a "sledgehammer party" in the parking lot.

The object slated for destruction? The mainframe that Starwood has been dependent on for more than 10 years. Of course, the destruction will have to be symbolic given that Conophy's mainframe is leased. It's the thought that counts.

Starwood Hotels owns and operates more than 700 hotels in 82 countries, including the Sheraton, Westin and W hotel chains, and has about 120,000 employees. The hospitality enterprise is currently in the midst of a major transformation away from its IBM mainframe to a distributed, Java-based J2EE environment, taking its legacy application base to Java running on Linux, Unix and Hewlett-Packard servers.

The ultimate goal is to implement an SOA, "which will allow Starwood's applications to talk to each other better and make communicating with partners easier as well," Conophy says.

Conophy saw the writing on the wall back in 2000 and 2001 when his mainframe was "running out of gas" and not sufficiently supporting Starwood's CRM applications. He figured that SOA was the way to go. As part of the migration, Starwood recently selected Mountain View, Calif.-based Actional's LookingGlass and SOAPStation SOA management solutions.

Starwood's SOA transition and the resulting mainframe retirement are both part of company's overall IT transformation strategy--dubbed Fusion, because it aims to combine business strategy and direction with technical strategy. Conophy says the transition will start in the first quarter of 2006. By the third quarter, the mainframe will be retired.

Starwood is not alone in its quest for an SOA. Gartner predicts that by 2008, most application-software revenue will come from products built using SOA; by 2010, that number will jump to 80 percent. SOA basically puts an enterprise's applications on the same level, meaning they can share middleware and, therefore, data more effectively through standard protocols, such as Web services. That translates to the ability to do more with less and being able to respond to business needs because applications can be deployed faster.

From IBM to BEA and Oracle, vendors are ramping up their SOA offerings to meet a growing demand. For instance, IBM announced its SOA Integration Framework initiative, which builds services capabilities into its WebSphere, Rational and Tivoli software to speed up SOA delivery. As for the future, Gartner predicts that SOA and Web services will ultimately affect every business and IT department.

Automaker's Outsourcing Options

Many enterprises and integrators alike will be watching with great expectations as General Motors makes a crucial decision on its outsourcing strategy.

GM's outsourcing dilemma has been the subject of speculation for years. The world's largest automobile manufacturer's 10-year contract with former subsidiary EDS expires next June. Long before then, GM will have to choose between renewing its contract, giving the work to another major systems integrator or even divvying up the contract among several partners. For its part, GM is not commenting.

But its decision in late July to award Sun Microsystems with the largest-ever contract for an enterprisewide Java deployment suggests that the struggling automaker wants to have the option of leveraging various outsourcers. Sun's Java Enterprise System coupled with Solaris 10 will be the basis of GM's plans to build a SOA by which Java components will be shared across different parts of GM's worldwide infrastructure, supply chain and partners.

"It gives us some modularization and some flexibility and decoupling in some places in our architecture," says Fred Killeen, GM's director of IT systems development and acting COO. "We're just trying to be careful and understand how you manage [service-level agreement] performance with a service-oriented architecture, and how to do that across multiple outsourcers, potentially."

Already a longtime user of Sun's Java Web Infrastructure Suite and Java Application Platform Suite, GM plans to expand its Web-based portal used to access GM's systems by employees, partners and contractors by adding Sun's Java Identity Management Suite with the goal of streamlining the sign-on process for internal and Web applications. In some cases, GM users will have single sign-on. But there are applications where GM believes having multiple levels of authentication will still be necessary.

Whether GM chooses one or several outsourcing partners, it will no doubt have a ripple effect on subcontractors.

"As an outsourced company, we are hugely looking to integrators," Killeen says. And with an IT budget of approximately $3 billion, its staff of 1,700 will be focused on making sure those integrators help bring GM back to its glory days.

Storing All Those Grains Of Sand

He may be based in sunny Southern California, but Ron Ehlers, vice president of information services at Pacific Sunwear, knows that enterprise IT is no walk on the beach.

Pacific Sunwear, a 1,000-store nationwide clothing retailer, is trying to keep its IT infrastructure on pace with its rapidly growing enterprise.

"It has always been one of our challenges from a technology standpoint, keeping up with the growth of the business from all aspects--capacity, speed, capabilities and functionality," Ehlers says. "The requirements to run a 100-store business are quite different from running a 500-store business or a 1,000-store business."

With a growing business comes an exponential growth in data and file servers. "It's like rabbits--you go from one to five to 20, and all of a sudden you're at 50 servers," Ehlers says.

Those file servers are vital for Pacific Sunwear's business, handling store polling for the exchange of sales and financial data between stores and corporate offices and applications, e-mail and hosting the company's Web site. But Ehlers found that managing storage and the resulting backup policies around his file servers was growing increasingly difficult.

"When you get that many servers and tape drives and tapes in the cycle, it's a very mechanical process, and it started becoming unreliable for us," he says. "It was rare that we had a night when every server had been backed up."

Ehlers turned to local solution provider CCS Technology Solutions, which suggested an IBM-based storage-management solution. Together, they implemented Tivoli Storage Manager running on an IBM xSeries system, Tivoli Storage Manager for Database and for Mail technologies, as well as IBM ServeRAID Ultra SCSI Controller software and IBM TotalStorage Expandable Storage Plus.

"Now we're managing maybe two or three very high-density tapes per day instead of the 50 separate tapes," he says, adding that those tapes are then transported off-site as part of Pacific Sunwear's overall disaster-recovery/business-continuity plan.

For Ehlers, an effective solution-provider relationship means bringing value to the table and understanding the complexities of his business.

"We're looking for partners that bring solutions to the table that will be of the most benefit to our organization, that can filter through and cut to the chase to focus on bringing us value," he adds.

Taking Stock In Compliance

Storage management goes beyond just the retail space, as enterprises in all industries are faced with ever-increasing amounts of data and regulatory requirements that force them to store and manage that data for years.

As the nation's oldest trading center, the Philadelphia Stock Exchange has a long history of risk management, corporate governance and regulatory compliance. Since 1983, Bernie Donnelly has overseen the exchange's compliance and auditing efforts, ensuring that the organization not only meets regulatory requirements, but also minimizes risks to stakeholders and traders.

"We've always been of the mind that the regulators and auditors are a third eye, a quality-control check," says Donnelly, vice president of quality assurance. "As long as they have insight into what you do for a living, they can be a benefit."

But enterprises like the Philadelphia Stock Exchange are under more regulatory pressure than ever. Sarbanes-Oxley is driving huge compliance investments for publicly traded companies. But other regulations and industry standards abound. The European Basel II accord and the U.S. Gramm-Leach-Bliley Act are pushing greater IT controls in financial services. HIPAA, California's Security Breach Information Act (commonly known as SB 1386) and the European Union Privacy Directive are requiring greater protection of personal data. And the VISA Cardholder Security Program holds the promise of improving the security and integrity of e-commerce and retail exchanges.

Compliance is one of the greatest motivators for risk management, security and corporate governance in IT history. By 2008, according to Gartner, 60 percent of U.S. firms with less than $5 billion in assets will have aligned their corporate risk management to regulatory requirements. And, 20 percent of firms are spending between 1 percent and 5 percent of their IT budgets on compliance issues. According to AMR Research, enterprises will spend $80 billion on compliance technologies and services during the next three years.

Naturally, large enterprises are leading the charge in building robust compliance-reporting systems. Gartner expects that smaller enterprises will follow their lead by adopting components of those large systems that meet their specific regulatory needs.

Since the enactment of Sarbanes-Oxley in 2004, enterprises have gone through two phases of compliance. The first year was spending whatever it took to get compliant, often purchasing disparate point solutions. In year two, enterprises started getting more strategic, looking for integrated compliance systems that reduce complexity and contain costs.

"The focus shouldn't be on finding [compliance audits], but rather [on] the process," Donnelly says. "If you don't have a process for dealing with compliance, you're always going to be reacting to the next finding."

But process is only one component of regulatory compliance. Compliance involves nearly every software package, hardware deployment and management system. Enterprises are investing in efficient storage systems with embedded access control and security, comprehensive security systems (intrusion-detection and monitoring systems, vulnerability management, identity and access control), and management systems that tie the disparate technology together with efficient reporting and response capabilities.

"You need to make sure the snapshot you took today is the same snapshot when you look at it seven years from now," Donnelly says.

Enterprises look to vendors and resellers to integrate these disparate IT management, audit and reporting packages. Gartner says current measures of success are a reduced exposure to enforcement actions and a reduction in the cost of compliance.

VARBusiness editor Lawrence M. Walsh and senior editor Jeffrey Schwartz contributed to this report.