cfo.com

Print this article | Return to Article | Return to CFO.com

High Anxiety

A new security standard may help companies do a better job of protecting data, but it's no lock.
Elaine Appleton Grant, CFO Magazine
August 1, 2006

Paul Wilde is a big believer in data protection. As CFO of Corillian Corp., he almost has to be. The Hillsboro, Oregon-based company delivers financial services and products to banks via the Internet. As such, the company not only stores data about customers, it also has access to information about customers' customers. Thus, even a hint of a security snafu — let alone data theft — could prove highly corrosive to the company's brand.

Given the stakes, it's not surprising that Corillian is an early embracer of the International Organization for Standardization's (ISO) new directive on data security. Known as ISO 27001, the standard is laid out in a 34-page manual that covers nearly 200 technology practices and procedures. Getting certified in 27001 can be a lengthy process. It took Wilde and Corillian more than a year to examine the company's existing IT procedures, implement new ones, and document it all. Wilde believes the effort was worth it. "We think this is a very good [security] standard," he says. "I hope that it becomes standard for companies dealing with personal financial information."

That remains to be seen. Backers of 27001 say corporate compliance efforts such as Sarbanes-Oxley and HIPPA are seriously undercut by subpar IT controls — controls the new standard addresses. Barry Kouns, the information-security practice lead consultant at Churchill & Harriman, predicts the ISO's latest IT benchmark will have an impact far beyond the corporate tech department. "The information-security management system in 27001 forces an organization to manage business risk," insists Kouns, "not just information-security risk."

Others are not so sanguine. Critics say ISO 27001 is limited in scope and is expensive to implement (certification costs can top six figures). Andrew Jaquith, a senior analyst at The Yankee Group, believes the latest security directive could create a false sense of, well, security. "People tend to care about whether you have complied with the standard," he explains, "rather than whether it is actually good security."

Rusty Spoon
Most tech observers do agree on one thing: the new IT benchmark is an improvement over its predecessor. While experts say that standard (ISO 17799) rightly focused on the importance of IT best practices, it didn't actually offer any. For example, 17799 recommended placing controls on network access, but gave no specifics. As Forrester Research analyst Khalid Kark notes, it was impossible to deduce if users should set up firewalls, put controls on routers, or limit access for employees.

Such ambiguity often led to protracted, fun-filled certification examinations. Asserts Jaquith, a former auditor: "I'd rather claw my eyes out with a rusty spoon than do one of those audits again."

The ISO, apparently aware of the eye-clawing thing, introduced 27001 last year. The updated standard provides measurable criteria for setting up and monitoring controls. The rules-based approach has made it easier for businesses to follow along. At Xerox Corp., line managers at three of the company's divisions recently commenced the 27001 certification process, as did Xerox's internal-standards group. Tom Hurysz, vice president of platform and consulting services at Xerox, says he plans on following 27001 in conjunction with other controls frameworks, including SAS 70 (the American Institute of Certified Public Accountants's standard governing information security for service providers). "I'd say 80 percent of what we do is good for both SAS 70 and 27001," notes Hurysz. "It's a way to satisfy the marketplace where some people feel that the SAS audit is better than an ISO audit and vice versa."

Right now, it's tough to find many companies that can claim to satisfy the ISO directive. Currently, only 39 U.S. organizations are certified for 27001 (or the British equivalent, BS 7799-2). That's compared with 1,634 in Japan. But, the Federal Reserve Bank has attained 27001 compliance, a move that could generate interest in the standard, particularly among financial-services companies that outsource a lot of data-related work. Says Kouns: "More and more RFPs are coming out asking, 'Where do you stand in complying with this international standard?'"

The guess is that 27001 will catch on, albeit slowly. Still, it's not at all clear if certification will substantially boost data protection — or merely soothe customer worries about data protection. "Plenty of businesses spend an inordinate amount of time rewriting their security policies and practices to comply with a standard," cautions Jaquith. "These companies can still be compromised faster than you can say 'hacker.'"

Elaine Appleton Grant writes frequently about business technology.


Standard Deviation
When it comes to IT security certification, the U.S. badly lags other countries.
Country Certified Organizations*
Japan 1,634
UK 249
India 194
Taiwan 92
Germany 57
Italy 42
U.S. 39
*Organizations (companies, business units, government agencies, or other entities) that are certified under either ISO 27001 or BS 7799-2 as of 6/5/06.
Source: ISMS International

What's the Big Idea?


Like most drug makers, Inspire Pharmaceuticals lives and dies by its ability to deliver valuable new medicines. Figuring out whether to advance or kill an idea, however, has gotten harder. Not only has the company's product portfolio grown, so too has the range of factors that come into play when deciding which products to back. Case in point: management struggled for two years trying to decide whether to license a new respiratory medicine. Says Ward Peterson, Inspire's vice president of discovery: "It was hard to make comparisons on an apples-to-apples basis with so many variables at play."

To help plumb the problem, Inspire last year purchased a software program called Portfolio Navigator. The application, created by SmartOrg, quantifies uncertainties such as market size, development time, and growth potential. It then creates a value map, comparing projects. Within two months of using the tool, Inspire management came to an answer on the drug. "We were able to stack it up against other existing and potential opportunities," says Peterson. "We realized it would be one of the most valuable opportunities in our portfolio."

Such clarity is rare, which may explain why the market for product portfolio management (PPM) software is growing at an 11 percent annual clip. All in all, AMR Research reckons sales in the sector are edging up on $850 million. Earlier versions of the programs — usually IT-project evaluators — tended to focus on operational issues. The new breed of product pipeline evaluators target strategic thinking. "The software provides a framework to make decisions in an objective rather than subjective way," says Jim Brown, vice president of global product innovation and engineering research at Aberdeen Group. "It also provides continuous checks and evaluations of a project throughout its life cycle."

Deduces Are Wild
Businesses go through cycles as well. For the past five years, managers have been maniacally cutting costs in a frantic bid to boost earnings. With little excess left to trim, executives are now looking for ways to bulk up top line figures. That's a much taller task. And despite all the recent talk about "corporate innovation," profitability remains paramount.

Typically, managers try to gauge the commercial viability of a possible offering by feeding information about potential revenues, risks, costs, and strategic fit into a spreadsheet. The data crunching helps produce a net present value figure. Adhering to a phase-gate approach, managers then reevaluate the figure at each stage of development. The project is axed or advanced, depending on what they find.

One thing they're certain to find: creating all those spreadsheets is a royal pain. Moreover, if each project manager reports findings in a slightly different format, any attempt to compare the results across an entire portfolio quickly turns into an exercise in futility. "That method won't scale," says Michael Burkett, vice president of research at AMR. "Companies can't do it quickly enough, they can't be consistent, and they can't shoot the information to colleagues around the globe."

By comparison, PPM programs create a central repository of information and a standardized process for gathering and evaluating data. Thus, products can be assessed based on real-time information rather than outdated entries.

Hewlett-Packard's imaging and printing group can vouch for the approach. In 2004, the technology company commenced a three-year effort to evaluate new business opportunities. HP automated the numbers-crunching with a PPM tool called Decision Advisor. "The software puts a visual interface on the process," notes Ralph Morales III, finance leader for HP's imaging and printing group. "You're able to build models as fast as people can talk."

A recent product to make it from concept to market: a photo-printing kiosk for retail stores. When analyzing the project, Morales and his team used the PPM program to create two approaches. In one, HP would sell the equipment to the retailer. In the other, it would keep ownership and simply pay "rent" to the retailer. In the end, HP decided to offer both.

Scenarios driven off of the diagrams also helped the team see that ease of use would be more important than the actual price of the service. Hence, stage-gate milestones were developed around customer and retailer preference surveys. As a result of the input, HP decided to design the kiosks for both unattended and attended environments. Reaching that decision during the initial stages of the project was a real money-saver.

Fail to Bail
Killing a project should also be done as soon as possible, says Robin Karol, CEO of the Product Development and Management Association (PDMA), an industry group: "Given the pace of information flows," she explains, "companies need to bail fast."

According to the PDMA, the Product Performance Institute, and Cap Gemini, only 2.5 percent of ideas get to the development stage at best-practice companies. At average companies, the ratio is more like 12 percent. The result? Best-practice companies spend a lot less time and money on failures. In fact, only 20 percent of their development resources go to products that bomb. By comparison, less enlightened businesses pour close to half of their development capital into losers.


Of course, this sort of computer-aided insight doesn't come cheap. A corporation with $1 billion in revenues will likely pay a PPM specialist a few hundred thousand dollars for a product portfolio application, implementation, and training. "It's not just about the technology," insists Craig Divino, president and CEO of vendor IDe. "Fifty percent of our implementation time is spent helping an organization use information more effectively."

No doubt some of that time goes to convincing project managers they'll benefit from the approach. It can be a tough sell, particularly for engineers who fear their projects will be axed. Still, the promise of shorter cycle times and more successful product launches is hard for senior executives to resist. Says Burkett: "I hear CEOs say upwards of 15 percent of their revenues go to R&D yet they have no idea what they're getting for it."

Yasmin Gharehmani writes about business and technology.




CFO Publishing Corporation 2009. All rights reserved.