Security Standardization Goes to Press
- From CIO Digest, April 2009 Issue ( Download This Entire Issue in PDF)
When Heidelberg Druckmaschinen AG appointed a new CIO, Michael Neff, nine years ago, he recruited Howard Hutchings from the company’s Web Division in the United States. Hutchings, the vice president of IT infrastructure at Heidelberg, had successfully consolidated the division’s IT environment, reducing costs and driving operational efficiencies, and Neff wanted Hutchings to replicate the results achieved in the division across all of Heidelberg’s 180-plus global operations.
The “un”-juxtaposition of standardization and decentralization
Standardization and decentralization are typically seen as juxtaposed. This paradigm, however, has been deconstructed with the evolution in IT environments over the past decade. “The days of a highly centralized mainframe environment gave way to fragmented, decentralized environments based on Microsoft and Novell technologies,” Hutchings recounts. But compliance, cost containment, and other issues prompted a return toward standardization about a decade ago—centralized administration and management while maintaining highly decentralized hardware environments.
Hutchings and his new team began a methodical approach that spanned a number of years to consolidate and standardize Heidelberg’s different IT environments. The Heidelberg team approached its global standardization initiative in sequential phases. “We started with a number of different projects,” Hutchings remembers. “We looked at the different pieces; the network, security, and desktop environments were defragmented around the world. We established one project to bring them into a standard infrastructure and set of processes. Over the course of three or four years, we standardized and deployed the infrastructure for each of these technology areas throughout the world.” For Heidelberg this meant a shift from scattered services spread across its various locations around the world to a centralized set of security, desktop, and network services.
The overarching results are impressive and include highlights such as slashing the IT budget by nearly half; eliminating more than 80 percent of the Microsoft Exchange servers; and virtualizing more than 80 percent of all servers operated in the global data center, 50 percent of the desktop applications, and as much as 75 percent of storage systems.
Getting the right security “type set” in place
Hutchings and his team turned their attention toward security about three and a half years ago. “We were in the middle of our standardization and globalization efforts,” Hutchings recalls, “and we had a highly distributed security environment consisting of seven or eight different solutions providers and more than 15 different products.” The security components included Trend Micro for the data center, McAfee for clients, and Symantec for mail security. In addition, the various security stakeholders didn’t have a broader view of security beyond their own systems. “When a problem occurred,” Hutchings relates, “the security team from that locale didn’t understand the broader ramifications.”
This all amounted to a significant impact to the business. Hutchings cites the following scenario to describe the situation. “While a small 15-person site went home at the end of the day because they had remediated the problem, security intrusions at various sites around the globe—transferred from the 15-person site—might rage for several days and shut down operations for hours or even days.”
Consolidation and standardization of the security environment would provide Hutchings and his team with a unified view of all endpoints across all locations and all environments—from the data center to the client. Hutchings commissioned 27-year Heidelberg veteran Wolfgang Ruland to lead this effort. Beyond conducting an inventory of the existing security infrastructure, Ruland, the global IT security officer at Heidelberg, mapped out the company’s business and technology requirements.
“We ultimately determined that we needed a one-vendor approach,” Ruland explains. “We sought a technology solution that could protect all of our endpoints and [Microsoft] Exchange servers and selected Symantec.”
As a result of working with Symantec Consulting Services, Ruland and his team standardized Heidelberg’s security infrastructure onto Symantec AntiVirus and Symantec Brightmail Gateway appliances. “Standardization drove cost reduction, head-count reduction, and operational efficiencies throughout the business,” Hutchings says.
The reasons for selecting Symantec were not short term but rather long term. “We didn’t purchase the Symantec solutions three years ago simply because Symantec had products that met our technology requirements,” Hutchings notes. “We selected Symantec because its roadmap clearly mapped to our long-term objectives—securing of the mail gateways, securing of the desktop, and bringing everything together under one management console.”
Upgrading endpoint security
With the release of Symantec Endpoint Protection, Ruland and his team opted to upgrade from Symantec AntiVirus. “Our prior environment lacked functionality in the console and management areas,” Ruland says. With initial help from Symantec Partner niwis consulting e.K. during the planning phase of the project, Ruland and his team completed the rollout to nearly 20,000 clients and expect full deployment across data center endpoints in several months.
“As our clients are highly standardized, which includes lifecycle management, it was very easy to configure the deployment,” Ruland comments. The Heidelberg team elected to initially extend just antivirus technology with the upgrade and will add antispyware and possibly firewall, device control, and application control technologies once the data center implementation is complete.
Heidelberg is already seeing results from the upgrade to Symantec Endpoint Protection. The most significant result involves labor productivity. To manage the security for more than nearly 20,000 clients and hundreds of data center servers scattered around the globe, Ruland has only three and a half IT staff. The exact reduction in labor costs over the prior environment is difficult to calculate, though significant. “To be honest, we aren’t certain how many staff previously worked on security,” Hutchings says. “This was more or less hidden in the different areas and it is impossible to ascertain the total number of staff and hours spent working on security. With the reorganization of our security environment, we were able to consolidate security management function to a handful of staff.”
Benefits extend to the helpdesk as well, which now spends less time on security-related calls. End users are also realizing productivity gains. “Security is seamless to them,” Hutchings comments. The next-generation solution provides endpoint protection, identifying, quarantining, and remediating intrusions without any productivity impact to end users. The reduced footprint of Endpoint Protection increases system performance and thus end-user productivity. “The stability of our clients and servers has improved,” Hutchings adds.
|< Previous Page||Page||4||of||4|
And most importantly, Heidelberg reduced its IT risks. Hutchings explains: “The IT risks for Heidelberg has decreased with the improved quality of virus and malware protection. Additionally, the standardization of our environment reduces the amount of time for system updates and patches.”
Spam loses its type set
The Heidelberg team opted to migrate from Symantec Brightmail Gateway software to appliances at about the same time as they elected to upgrade to Symantec Endpoint Protection. Beyond reducing the amount of spam that reaches end users, to less than a tenth of a percent, Hutchings sees the ability to block phishing emails as an important benefit.
“We typically receive 1 million spam messages each day,” he reports. “Previously, end users would get 50 or 100 phishing emails a day and would need to spend valuable time looking at each one and then deleting them—or even contacting the IT helpdesk for assistance, which expended even more time.”
Three ingredients of success
Asked to assess what’s made his team’s standardization efforts successful, Hutchings explains that “you always need a mixture of good technologies, processes, and people.” He also spells out three overriding principles. “The first is that it simply takes time,” he says. “Everything may look good on paper and all of the different constituents may concur on the project plan, but it requires consistent focus and direction.”
The second piece is the need for a knowledgeable staff. “It is important to identify five or six different individuals who really want to dig into the various issues and empower them to become subject-matter experts,” Hutchings notes. Training is a critical component here, and Hutchings and Ruland leveraged Symantec Education Services to help ensure their security staff are subject-matter experts on the Symantec technologies for which they are responsible. This includes Symantec Endpoint Protection Certification for each member of the security staff. “We just moved a new staff member into a security role,” Hutchings reports, “and one of his first action items was to complete training from Symantec Education Services.”
Hutchings specifically calls out Ruland for his outstanding leadership over the past three and a half years. “Without an excellent leader who understands security like Wolfgang Ruland, a project of this scope will simply not succeed. Any ‘tool’ is just a tool, one that can be used effectively or ineffectively. A good IT leader brings real facts to the table and then controls how to put all of the pieces together.”
Ruland also credits Hutchings for his leadership. “It takes a tough leader who will support and back you,” Ruland notes. “Changing systems and processes is not an easy feat.”
Hutchings sums up the collaborative relationship: “We’ve brought the best of both American and German ingenuity together. Sometimes, from an American point of view, it is a matter of get out there and do it quick. And from a German point of view, it is a matter of analysis and bringing the different pieces together right.”
“The third item is a balancing act,” Hutchings concludes. “It is a matter of determining the probability of something happening and then assessing this against the risk associated with its actual occurrence.”
Enabling ongoing (r)evolution
Many place the genesis of the Industrial Revolution with the invention of the printing press. Mass production of the written word transformed society and made knowledge previously accessible to a privileged few to the broader masses. Having produced and sold more than 400,000 printing machines, Heidelberg has left an indelible imprint on the evolution of the written word over the past century and a half. And with its recent standardization initiatives, the IT team is proving that information technology can be a key enabler in the company’s ongoing quest to do so.
Patrick E. Spencer (Ph.D.) is the editor in chief for CIO Digest and the author of a book and various articles and reviews published by Continuum Books and Sage Publications, among others.