Viruses. Spam. Software patches. Upgrades. Nuisances that nibble at IT shops everywhere. Attacking them as a class of problems elevates your security readiness.
It's never a good night for the IT department when the first person to get hit by a new virus is the CEO.
That's exactly what happened when the W32.Blaster Internet worm slipped onto the notebook of ABM Industries chief Henrik Slipsager. Slipsager was booting up during a business trip in Los Angeles in August 2003 when the error message that defined the Blaster popped up, paralyzing his machine and millions of others across the globe. The CEO began calling mobile phones of top IT staffers in San Francisco looking for help.
"It was 5:30 on a Wednesday," recalls Sean Finley, assistant vice president and deputy director of electronic services at ABM, a $US2.3 billion company that provides janitorial, lighting and security services to high-rise buildings. Finley, a 15-year veteran of the company, says he called an ABM Web site administrator in Los Angeles. "I said: 'Listen, you've got to do me a big favour'," he recalls. Slipsager left his notebook with a hotel bellhop as the employee raced there with antivirus software. The CEO's computer was fixed. But after that night, the way ABM dealt with viruses changed.
Instead of putting out fires, ABM's IT group moved to set up policies that mandate how employees use antivirus software. One user mandate: No network logon without the latest virus update download.
With natural disasters to the left of them, and heightened world tensions to the right of them, you'd think CIOs would be wearing hard hats and gumboots to the office. After all, they've been training - prodded by worried CEOs and boards of directors - to prepare for the catastrophic: bush fires, floods, earthquakes, power outages, even terrorist attacks. Not surprising, IT spending on disaster recovery by global financial services companies after 9/11 spiked 19.2 percent to $US3.4 billion - up from sleepier 3 percent to 5 percent annual increases throughout the 1990s, according to Tower Group. Although spending dipped by 6.4 percent in 2003, businesses are still shelling out unprecedented amounts of their IT budgets on security. An estimated 5.4 percent in 2003 went to bulk up security compared with 3.1 percent in 2001, according to Gartner.
Of course, the annoying headaches an IT staff tackles every day might seem insignificant when stacked up against natural disasters. But to the average company, they aren't. The total effect of spam, viruses, software upgrades and other niggling problems is a plague that cost businesses around the world billions last year. Most CIOs know this. They realize that the real threat isn't Armageddon; it's being nibbled to death by ducks.
"The majority of our time is spent on the little things that prevent the big things from happening," says Dan Yee, CIO of the California Independent System Operator Corporation (the not-for-profit organization that manages the state's power grid established to prevent electricity shortages and blackouts). Yee says focusing on the "little things" means, for example, splitting end users into different classes (like executives and other workers), and using automated tools to monitor what software gets onto their PCs in an effort to head off problems before they occur.
CIOs could be excused for delegating these nuisance issues to their staff. It makes sense to divide and conquer, to quash each snafu as it comes up. Many IT executives interviewed for this story continue to follow that approach. But it's also not hard to see that CIOs who fail to treat these nuisances holistically, as a class of problems that deserve management's attention and a plan of attack, do so at their peril.
Spam, for one, cost corporations $US10 billion in 2003, according to Ferris Research. Look at viruses: Computer Economics estimates that in 2003 the endless parade of 7064 new viruses, worms and Trojan horses cost companies more than $US13 billion. Even seemingly benign problems like employee password changes add up. These requests account for up to half the help desk calls in a given year and cost a company about $US38 per annoying reset, according to Gartner. Add password updates to never-ending nuisances such as the employee who never deletes a single e-mail in 10 years or the PC user who crashes his computer during massive MP3 downloading, and the road leads to one all-encompassing term that could use its own army: nuisance management.
The good news is that CIOs have plenty of weapons in their utility belts to fend off many of these recurring problems. Ideas as simple as enforcing a better written policy for e-mail and banning certain kinds of instant messaging applications from the company's desktops can make a big difference. Ultimately, dealing with nuisances is about being proactive and learning from mistakes. The problems might never go away, but they can be controlled.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.