TORONTO – Canadian CIOs that want to balance security concerns with the demand for Web 2.0 and social media tools from employees may need to invest in more training and even set up a second IT department, experts told this week’s first annual CIO Exchange conference.
The theme of the event – which was produced by IT World Canada and the CIO Association of Canada – was “Open vs. Secure.” Speakers and panelists explored the rise of tools like wikis and services like Twitter along with the potential for increased IT risks. CIOs discussed common considerations for using more collaborative technologies and the primary business drivers such as employee retention and competitive pressure.
Dr. Mark Vale, chief information and privacy officer for the Province of Ontario, said many organizations, including his own, have to do a lot more work on defining roles and responsibilities around protecting data and its use across Web sites and devices.
“I’ll be honest – we fly by the seat of our pants on this,” he said. “Most employees don’t know the security settings on their own laptops. We know there’s a lot of government data going through Hotmail and Gmail. We’re trying to teach people how to manage their own risk.”
Companies aren’t just focusing on hackers and data loss but looking at how opening up to Internet users creates softer threats to their organization. Phil McBride, IT manager for Global Business Services at Proctor & Gamble Canada, spoke about how the company is inviting mothers to blog about its Pampers brand, and creating a Google Maps application to let Iaims dog food customers identify the best dog parks. Although these activities allow more engagement with everyday people, they don’t always get approved easily.
“Our legal team? This kept them up all night for months,” he said, referring to the Pampers bloggers. It’s not that mothers would be hacking into Proctor & Gamble, of course. The fear is what happens when a bloggers says something negative about a product. “You have to think about what it means in terms of transparency and authenticity . . . if someone complains, we don’t try to buy them off and give them free diapers. We ask what we can do to help them.”
Chris S. Thomas, chief strategist with Intel Corp., said in a keynote speech that CIOs can open up their networks and Web sites to some extent, but they should protect core assets that are critical to the company. For Intel, this means taking the word “core” literally.
“We have one normal IT department and then a super-secret IT department that just works (with data about) the (processor) core stuff,” he said in a keynote speech. That being said, avoiding social technologies and computing models like software-as-a-service that open up networks to third parties isn’t realistic. “We’re all sharing now.”
Vale said IT training in many organizations needs to be updated to reflect social media and other areas of risk. In the Province of Ontario, areas that used to require 15 minutes of online training when an employee joined the public sector has been moved up to an annual activity, with a discussion about the results with a manager afterward. This keeps employees fresh on policy and allows security policies to be flexible as new things come up.
“My biggest fear is an unskilled workforce,” he said. “We’ve been far too polite for far too long.”
The one-day CIO Exchange event wrapped up on Wednesday.