Where are AARP's challenges when it comes to mobility and security? Hall: Keeping member data private and staying out of the headlines becomes more challenging as my [users] want mobility to have and use data. Keeping an enterprise on the move is not just about technology, it's working with user security and behavior, which is a lot harder to standardize. The challenge is perpetually balancing how to use and secure systems and data.
What kind of technology does AARP use to help users be more mobile? Hall: Users want lighter weight tools and more intimate data on customers so we can do business. These threats--the risk of losing any of our personal member or staff information--make it more challenging. We do encryption on data in flight with SSL; at the perimeter, we have good firewalls, IDS, IPS. If they're very mobile, we'll do whole-disk encryption.
How has the spike in telecommuters impacted the way you provide security and enable workers?
Hall: In the last six-to-12 months, the desire for more access in more ways and from more places has grown. The way gas prices are, that's going to continue. The technology is mature enough that business users can do more from home--Web meetings, conference calls, softphones, high-speed access is almost ubiquitous. Why not work how and where you want to work?
The majority of our users live in major areas, DC, Los Angeles where commuting is an issue. Issues with continuity planning and pandemic planning drive a much more realistic business need for telecommuting on an ad-hoc or permanent basis. It's our job to get the right set of tools in place in advance of business clamoring for it. If we do that, then we're going to be more successful in the services we deliver.
Is security becoming less of a technology question? Hall: Technology plays a huge role in my security program. One of the facets of our security organization is the degree to which we can make security seamless to the end user, and that's done through technology. We deploy a great deal. If I don't' have to rely on the user for [policy] compliance, I won't. I want to enable marketing to focus on marketing, not security. It's not easy. The reason I run security and operations is because they're so closely tied together.
Do you think security will evolve to where it's meshed with business processes, and a security office as it's constructed today will disappear? Hall: We've been living that evolution to be honest. We're spinning security out of the IT organization. We created a security and compliance group. Once we got our practices to the point where they function well, we could spend more time on communicating and marketing security inside IT and the enterprise. We've embedded security in operations, and everyone is responsible for securing the enterprise and delivering security solutions to user.
You report to the board at AARP. What do they want to hear from you? Hall: I have dotted line reporting directly to the board, should I need to exercise it. I report to the board once a year in the areas of risk and security. The topics depend on what's going on in business and with our membership and what's going on in the media. What's top-of-mind to any board is what's in the Wall Street Journal. If it's ChoicePoint, they're asking me about ChoicePoint.
This was first published in October 2006