Steve Sommer has seen just about everything in his 30+ years as an IT executive. As a Chief Information Officer (CIO) and Chief Technology Officer (CTO) since the late 1980s he’s witnessed the industry’s transition from the “dumb” terminal/server paradigm and slow, kludge dial-up to today’s “always on” networks. He’s also participated in and grappled with all of the positive and negative aspects of transformational and disruptive technology trends. Sommer has experienced firsthand how the “consumerization of IT” and the rapidly increasing numbers of remote users accessing the network via smart phones and tablets impacts IT, security and how companies do business in the 21st Century. Sommer is currently CIO at Stromberg & Forbes, LLC, a financial services company with offices in New York and Florida. Prior to that he spent 25 years at Hughes, Hubbard and Reed a law firm headquartered in New York City. He worked his way up at HH&R to become CIO and CTO, holding down both jobs simultaneously. ITIC interviewed Sommer on a wide range of topics including: the Pros and Cons of new technologies like virtualization and cloud computing. He also talked about the impact and implications of end users utilizing consumer devices for ubiquitous connectivity. Sommer also dispensed practical, tactical advice on how organizations can construct a strategy for efficient and secure mobility and remote access. As an eyewitness to the September 11, 2001 attack on the World Trade Center, Sommer talks about the terrorist attack has changed the way companies view disaster recovery (DR) and backup plans in a post 9/11 world.
Laura DiDio, ITIC: Virtualization and cloud computing are two of the most pivotal technologies to emerge in the last five to seven years. Do all users from SMBs to enterprises need them and why?
Steve Sommer: There’s no escaping virtualization; that’s the way the industry is going and SMBs should follow; they have just as much need for virtualization as large enterprises. The density of the data, the content, the critical nature of applications and business continuity all make virtualization imperative. It saves money, provides consolidation and it’s easier to maintain a streamlined environment. Virtualization allows for better testing and faster, more efficient disaster recovery (DR). Virtualization preceded the cloud. But cloud computing is different. There are many dangers inherent to the cloud. Any SMB contemplating a move to a public, private or hybrid cloud must realize that cloud computing isn’t free or cheap. This is especially true for SMBs with more limited resources and smaller budgets. But a well planned cloud implementation will deliver better economies of scale and alleviate the burden on IT. From my perspective, Google, and Apple are not the best solutions for an SMB cloud. The issue is that end users in SMB organizations utilize Google’s and Apple’s iCloud as consumers but they’re not necessarily worried about their company’s security, costs and integration issues. The users are just concerned with accessing their data whether they’re at home or in a public facility like a restaurant, kiosk or a plane. Typically, end users are ignorant of the business’ support costs and security ramifications. They don’t grapple with the problem of how the organization will support the cloud. That said, eventually almost all SMBs, like large corporations, will need a cloud; they won’t be able to compete effectively otherwise.
ITIC: For SMBs that lack the money and the IT resources of larger enterprises, does it make more sense to go with a public, private or hybrid cloud?
SS: If you lack the funds to hire an external cloud services provider, then you’ll need a private cloud using something like Microsoft’s SharePoint. However, even a private cloud managed internally, is an expense because you have to tweak and expand the infrastructure to accept the users accessing the private cloud. That’s a lot of work. You have to publish your information outside the firewall and build a secure environment to allow people to access crucial information. Your infrastructure has to change and evolve [to accommodate the cloud]. For example, you’ll need to upgrade the WAN. SMBs, like enterprises can support private clouds capably on their own. However, they will need in-house expertise and it will still cost money. SMBs need to build a cloud in steps; a hybrid cloud is a good choice for an organization starting out and getting its feet wet. Even a large retailer like L.L. Bean has partnerships with outside vendors. A public cloud is optimal but the gating and inhibiting factor is the expense.
ITIC: What are some of the most crucial issues that organizations should consider when implementing a cloud environment?
SS: If you’re going with a public cloud, there’s a lot to consider. The first is training your people and put the proper controls in place. Next, you have to decide on approved applications and which if any applications to blacklist. Most SMBs today are ready to transition to the cloud. The most important factor is selecting the right vendor. You have to perform due diligence. You must assess key elements of your planned cloud implementation such as: security, storage capability, the reputation and strength of the vendor in the marketplace. What cloud providers are your SMB peers using? The telecom vendors like Verizon have the best opportunity to partner with data vendors. I think we’ll see partnerships between companies like IBM and Verizon. Test first and decide the order of the applications and content you want to put on the cloud. External providers can provide the best portals for data access. You have to address issues of security, data retention, data loss, tracking, response time. And the business must balance its needs with those of the consumer public, end users and customers. Each vertical industry is different and subject to specific compliance regulations. Legal and healthcare are very strict about confidentiality. But ironically, legal and healthcare users carry around the mobile devices and they frequently get lost or stolen. So you have to assess the risks. How do you support the various amounts of data accessibility with legacy applications? That’s another big concern.
ITIC: Another major trend is remote access and mobility. Do you have an specific “Dos and Don’ts” for fellow CIOs, CTOs, IT managers and users with respect to constructing a workable technology and business strategy to address the growing ranks of remote workers?
SS: The biggest risk for device access is data loss. Security is another huge issue.
- Do construct an end user usage policy. And provide them with training to understand the technology and business implications.
- Do find the application that fits for the majority of your devices. Finding a common avenue of access is very crucial.
- Do take responsibility to own the device or not. Who owns what? That is a cost issue.
- Do make sure you have top notch security in place. Choose the right security vendor – are they all inclusive and do they have the knowledge base to support your organization?
- Do communicate the remote access policies and get buy-in from the management and all appropriate departments. You can’t have discord/disconnect among management, end users and IT.
- Don’t give your end users five different ways to access information. It’s confusing and will be a resource drain in terms of support.
- Don’t give in to user pressure to do things a certain way. The easiest way is always the best method of accessibility. Stand your ground. Don’t go ahead and promise without the proper infrastructure support.
- Don’t do it alone. Don’t think you can supply security, data storage, remote access etc. You need an external partner and be upfront with management to tell them exactly what needs to get done.
ITIC: Apple’s iPad was introduced in April 2010 and it’s sparked a real revolution. Lots of people are saying “the PC is dead.” Do the iPad and other tablet devices have enough functionality to supplant PCs and notebooks as the next generation desktop?
SS: I don’t think the PC is dead. Laptops are definitely diminishing because of the iPad and other tablets. For the desktop intensive worker the PC still has a place in performing compute intensive and transformational activities. There will still be billions of PCs although laptops will diminish. Five years from now there won’t be as many PCs but the PCs will still do the heavy lifting unless/until iPads have more storage, more computational power. There will be less and less need for PCs but they will still exist.
ITIC: Remote access, mobility and the use of myriad devices to connect to the network from tablets to smart phones have made security even more challenging. What poses the greatest security threat to the corporate network in 2012 and beyond?
SS: From a technical perspective, social media sites and social applications are killer; they are the biggest threat out there.Facebook, Google and others can get at your information and violate privacy. However, human error constitutes a greater threat than malware. People are just not careful. A high percentage of the population works from home or travels. They think nothing of accessing entertainment and social media sites that grab our information. The portability of information is another huge concern. We’re carrying around sensitive data – both professional and personal — and losing it in planes, trains, taxis etc.
ITIC: What’s the most memorable, defining experience you’ve had in your IT career?
SS: Without a doubt the most horrible and yet redeeming/rewarding experience was living through the 9/11 attack on the World Trade Center. The Hughes, Hubbard and Reed law offices were only three blocks away from the Twin Towers. I was just emerging from the subway when I saw the first plane hit. It was horrific and chaotic. People were naturally terrified; no one knew what was coming next. The communications systems were overloaded and unavailable. In the immediate aftermath of the attack, my first priority was to safely evacuate the staff out of lower Manhattan. I stayed behind and shut the systems down. I had to properly secure the data since we lost power and communications. We weren’t allowed back in our offices for a week and a half. We relied on our branch offices and phones to get headquarters people re-connected. We had lost all our Verizon and AT&T telecommunications. Microsoft had people at our branch offices on September 13th. They just showed up and helped us restore systems using DSL. We used Windows NT as a router and constructed our own routing protocol. Bill Gates himself ordered people to come down and help out. We were lucky; we didn’t lose any data because we had a backup plan in place. Post- 9/11 we knew we had to improve our disaster recovery capabilities. I got approval to do a DR co-location 30 miles away. That may not always be the most appropriate thing. But the 9/11 tragedy convinced businesses that they must have a DR and restore functionality for their most business critical applications. We got our new plan up and running in less than a year with Verizon. The 9/11 terrorist attack forever changed DR and backup. The tragedy also contributed to the increase in remote access and mobility. The biggest lesson of the 9/11 terrorist attack was that we must be ready for anything, respond quickly and adapt.