Seeking compliance in a mobile world

Newly public financial firm Thomas Weisel Partners retools policies and procedures to comply with the Sarbanes-Oxley Act while prepping for the changing nature of mobile threats

When Thomas Weisel Partners went public last year, it forced some dramatic changes in how the San Francisco-based investment-banking company approached IT — and in CSO Beth Cannon’s job description. She recently completed an 18-month retooling of the policies and procedures the company follows for everything from managing change to using mobile devices. Looking ahead, she sees a new crop of threats on the horizon that target the mobile devices that many of the firm’s 650 employees use daily.

What is the reporting structure there — you’re part of the IT group, correct?

I am, and I report to the CIO, who reports to the chief administrative officer, who is part of our executive committee.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When Thomas Weisel Partners went public last year, it forced some dramatic changes in how the San Francisco-based investment-banking company approached IT — and in CSO Beth Cannon’s job description. She recently completed an 18-month retooling of the policies and procedures the company follows for everything from managing change to using mobile devices. Looking ahead, she sees a new crop of threats on the horizon that target the mobile devices that many of the firm’s 650 employees use daily.

What is the reporting structure there — you’re part of the IT group, correct?

I am, and I report to the CIO, who reports to the chief administrative officer, who is part of our executive committee.

How is that structure working out for you?

It works OK for me. I started out in IT, so I have a lot of IT relationships that I can’t get my job done without. However, because I’ve been here for a number of years and because of my past duties running engineering and infrastructure — of which a part was the security of the desktops, laptops, servers and network — I also have relationships with the compliance and legal teams as well. As a CSO, you cannot get your job done without those relationships. For me it would work either way. I think you have pros and cons on both sides.

What are some of the key regulations that you have to comply with?

On the broker/dealer side, there are a number of NASD and [New York Stock Exchange] regulations that affect the IT group, from written-communications rules that say we have to archive all instant messages and e-mail. We also have to worry about mobile devices and what people are doing with them that might be outside of the policies, procedures and regulations we have. We are required to block Web sites that would put us out of compliance, like [IM site] meebo. Users are allowed to use certain IM services here, but we cannot allow use of any that we cannot log or archive. We have a proxy server for allowed IM networks, such as AOL, Yahoo and MSN.

The mantra is basically, if you can’t log it, archive it and supervise it, you better block it. That is very hard to do today with the technologies available to employees, such as MySpace, podcasting and the blogging options. The regulatory agencies are preparing to issue new guidance on the written-communications and supervision rules that will take into account mobile devices, as well as many of the newer communication technologies. So we will need to consider additional means of restricting access to only what we can control and log. All of these things are a concern. The technology to allow users flexibility to do new things is far ahead of the technology to block it, archive it or somehow prevent corporate use of it.