The virtues of volunteering

One CISO reaps rewards from his work with a user organization.

Taking on volunteer work for an organization pledged to IT security can pay off handsomely in solidifying business partnerships, fostering corporate security and earning kudos from your boss. Volunteering in key positions, however, inevitably takes time way from the job - meaning volunteers face working longer hours to compensate.

Working extra hours to compensate for time spent volunteering is a fact of life for Paul Simmonds, CISO at ICI, a U.K.-based manufacturer of paints and specialty chemicals that has 355 business sites around the world connected via a global WAN.

His day job involves deciding how security will be implemented on behalf of tens of thousands of ICI employees. In his volunteer capacity, Simmonds is a member of the board of the Jericho Forum, a user-based organization of mostly large, global firms, for example, BP, Procter & Gamble and Qantas. The forum's mission is to collaborate on finding ways to facilitate e-commerce without the need for traditional security measures, such as perimeter firewalls and proxies. For about a year, vendors have been permitted to join, but they don't have privileges to vote on the forum's documents and IT architecture papers.

Paul Simmonds, CISO, ICI

Since Simmonds took it on, his volunteer work of advocating for the Jericho Forum's philosophy, known as de-perimeterization, and publicly speaking about it at trade shows and other meetings has consumed about 5% of his time, he says.

To Simmonds, it's more than worth it because he believes the forum's collaborative efforts are critical to the future of doing business on the Internet, where financially motivated cyberattacks are growing and consumers appear increasingly afraid of online commerce.

Security Standard

Get the scoop on the best practices revealed at IDG's inaugural event.

"Use of the Internet is based on trust, and we're using it for communications and business," says Simmonds. "I can't do that on the mass level I need to [if I use] today's technology." Traditional VPNs, firewalls and proxies are seen by the Jericho Forum as barriers to e-commerce rather than facilitators, and the organization's membership is eager to identify alternate security methods.

The form's membership - which has grown from 30 to 100 companies since Simmonds started his public-speaking engagements two years ago - holds face-to-face meetings once a month and two conferences a year, in North America and Europe.

The impact of this volunteer work is such that he typically works longer hours, Simmonds notes. "It's often a 60-hour week," he says. His volunteer work is backed by ICI's management, however, which subsidizes his expenses associated with the forum, because the company views it as a means of finding better ways to do business online. "Management feels strongly about Jericho Forum," Simmonds notes.

Jericho Forum at a glance

Although it remains voluntary, Simmonds' work with the forum is having an effect on the strategic direction of ICI's own networks, because the ideas Simmonds brings back to his corporate management are becoming accepted as a template for future technology procurements.

Simmonds points out that the Jericho Forum's members have been effective at sharing their views and writing papers aimed at making it clear to the vendor community what they like and don't like about today's products. Those views are summed up in white papers, including ones on basic architecture, voice over IP, wireless and content filtering.

Not only has the Jericho Forum membership articulated its views in position papers, but some members, including ICI, also are taking steps to wean themselves from perimeter, VPN-based firewalls or other technologies.

"BP Amoco just moved 18,000 users off the intranet and onto the Internet with no firewall at all, authenticating at the application level," says Simmonds. "Boeing is doing the same thing."

In "Internet Filtering and Reporting," a position paper published this July, the forum advocates moving content and URL filtering further from the corporate intranet to the Internet. That's an idea being embraced in practice at ICI.

"We're using that idea as a basis for an RFP that we sent to 15 vendors in May, including AT&T, BT, MessageLabs, ScanSafe, Verizon and others," says Simmonds. "We're saying, move URL and content filtering, and analysis of spoofed Web sites, and do that filtering in the cloud," he says.

ICI hopes to conclude a contract for outsourced content-filtering in time to have the service in place for its operations by early next year.

Upcoming Jericho Forum projects include a critical assessment of network access-control technologies available today. The forum's strategy papers often take many months to complete, but the growing clout of the organization means its opinions are becoming heard more widely by companies and vendors.

That's good news to Simmonds, who has worked with diplomatic urgency to sway vendors to give de-perimeterization a fair hearing. "Cisco came in about six weeks ago to Jericho Forum, and IBM is actively involved, too," Simmonds says. That kind of participation should foster a dynamic between enterprise customer and vendor to build IT products that are both simpler and more effective in securing networks that depend on the Internet for e-commerce.

Learn more about this topic

How to prepare for a CISO position

06/02/06

CSI Security Conference: Today’s CISO wears many hats

11/15/05

Volunteers rebuild Gulf Coast communications with wireless nets

09/16/05

De-perimeterization is the way to go for network security 08/15/05

Opinion

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.