n By Paul Desmond
When Thomas Weisel Partners went public last year, it forced some dramatic changes in how the San Francisco-based investment-banking company approached IT — and in CSO Beth Cannon’s job description. She recently completed an 18-month retooling of the policies and procedures the company follows for everything from managing change to using mobile devices. Looking ahead, she sees a new crop of threats on the horizon that target the mobile devices that many of the firm’s 650 employees use daily.
What is the reporting structure there — you’re part of the IT group, correct?
I am, and I report to the CIO, who reports to the chief administrative officer, who is part
of our executive committee.
as well. As a CSO, you cannot get your job done without those relationships. For me it would work either way. I think you have pros and cons on both sides.
It works OK for me. I started out in IT, so I have a lot of IT relationships that I can’t get my job done without. However, because I’ve been here for a number of years and because of my past duties running engineering and infrastructure — of which a part was the security of the desktops, laptops, servers and network — I also have relationships with the compliance and legal teams
On the broker/dealer side, there are a number of NASD and [New York Stock Exchange] regulations that affect the IT group, from written-communications rules that say we have to archive all instant messages and e-mail. We also have to worry about mobile devices and what people are doing with them that might be outside of the policies, procedures and regulations we have. We are required to block Web sites that would put us out of compliance, like [IM site] meebo. Users are allowed to use certain IM services here, but we cannot allow use of any that we cannot log or archive. We have a proxy server for allowed IM networks, such
as AOL, Yahoo and MSN.
The mantra is basically, if you can’t log it, archive it and supervise it, you better block it. That is very hard to do today with the technologies available to employees, such as MySpace, podcasting and the blogging options. The regulatory agencies are preparing to issue new guidance on the written-communications and supervision rules that will take into account mobile devices, as well as many of the newer communication technologies. So we will need to consider additional means of restricting access to only what we can control and log. All of these things are a concern. The technology to allow users flexibility to do new things is far ahead of the technology to block it, archive it or somehow prevent corporate use of it.
It’s companywide. And we log and archive companywide.
The rule states three years, but if you’re in litigation of any kind, you have to keep it [until the litigation is complete]. So we continue to have all e-mail records from the beginning of our business in 1999. There always seems to be something going on that
References:
Archives