Thinking Out Loud: CIO Marv Adams - ' Ford and Security '
(
Page 14 of 14 )
Ford and Security
Two years ago you talked rather aggressively about bringing key suppliers inside the kimono, if you will, to start sharing data. You're going beyond sharing it with Magma, and you're going beyond sharing it with Visteon Corp. You're talking about small folks who may have only the most primitive technology systems, and it raises all sorts of issues of communications, also security. Can you address that?
I think depending on the partner we're working with and their degree of technology sophistication, you know, we have to sort of dial in the right level of technology to support their needs. So when you look at something as large as Visteon, we would have various sophisticated and integrated systems infrastructures. They would have all the appropriate security and information security virus protection, disaster recovery kind of capabilities built in, especially for that large a relationship. As you get into the smaller environments, again, it's actually getting easier than it was a decade ago or even five years ago.
The emergence of standards like XML have literally made it pretty straightforward to link Microsoft Office, for example, which almost any size company has, with large scale transaction systems. You put the obvious appropriate middleware in place to provide all the information security and protection, but you can through XML standards link a spreadsheet planning system of a small supplier with a material release system in a company the size of Ford. We've actually done some of that with small suppliers
Recently we saw an attack on the Internet that took down more than half the servers in this country. It's got to be one of the things that you wake up from occasionally in a sweat.
Security is one of the top priorities that I focus on. We look at the full topic of business risk from operational processes that are critically important to the company, processes ranging from supply chain integration to financial close, for example. We look at business continuity, which is how do you deal with a variety of risk scenarios and how would you get the business back up and running. So you invest in the right level of insurance protection. I'm using the word insurance generically, and you also look at business continuity capability, depending on the importance of that area of the business.
Another component of the risk framework is disaster recovery, which is a more classic IT capability, again, dialing in the amount of robustness required for that area of the system so that you're doing it in a business efficient way. So, for example, some of your online transaction systems that you need to operate the business every day do hot mirroring, where you literally duplicate a transaction in another location so that if a site went down, you could just continue to operate real time.
Other types of information systems only require recovery over a few hours. It's much less expensive. You can back up information in traditional methods, take it offsite, have it there, do that on a daily basis and be able to bring your systems back up within a few hours if you had a particular disaster that required that.
Other environments can be done much less expensively because of the criticality of the business, so that's an area of focus of the risk management. Information security is a big deal to us, so what we invest in authentication, how we focus on our wireless infrastructure, really focusing on more robust directory systems so that as you do work with a partner, you have the people that are authorized and what they're authorized to use. So, again, you can dial in the level of access that is appropriate for the type of business relationship and for the specific role within the company.
Since 9/11, is Ford revising plans to put certain things on the Internet as opposed to proprietary communication systems?
We have continued to raise the amount that we invest in business risk, and we've continued to develop different kinds of systems and process infrastructure to deal with the ever-increasing variety of risks that we face in today's world. And, again, we don't talk about all the specifics of those. But the answer is we spend more money, we have more in-depth competencies in-house and we have more significant business partnerships with companies that work in this space.
We are in very close contact with not only the major software providers, so we're in sync with the latest releases of software to keep them as virus-protected as possible. We're also in sync with various organizations like CERT as well as different government organizations to understand the type of threats that are out there. We also do a lot internally to test our own infrastructure to find out own vulnerabilities.
The thing that would scare anyone might be that Israeli company report that pointed out all the new weaknesses of Internet Explorer, that you could go from outside and essentially take over the computer. It was quite a surprise. Microsoft flipped out.
This is a great example of why Back to Basics is not going backwards. It's actually enabling going forward If you design systems so that they're vulnerable to any one vulnerability, vulnerability in the browser is the one you just mentioned, if you do that, you are setting yourself up for high risk.
You have to design your systems to understand different kinds of vulnerabilities and have checkpoints all the way through your infrastructure and into your systems that will enable you to be—what's the word used in engineering? Robust engineering is when your product performs as designed under a variety of harsh operating conditions.
A robust systems design is one that operates under a variety of harsh and perhaps even threatening operating conditions. That requires a competency. And as you look to hundreds of different companies to provide solutions, it's just harder to control it. And while we partner a lot with technology companies, we do it in a more controlled manner as a result of increasing business risks.
test
