Two-factor authentication has recently arrived on Hong Kong"s Internet banking scene. As the CIO of a major two-factor authentication technology provider, Gerry Wilson shared with Computerworld Hong Kong"s Sheila Lam what security means for RSA.

CWHK: What are the challenges for a CIO at a security company?

Gerry Wilson (GW): Given what we do, certainly lots of hackers out there would like to hack into our site. So we hold our site at a higher standard for security protection.

We are currently managing 40,000 identities, both internal users and business partners, and more are on the way, therefore we need stronger authentication technology. It is certainly an easier job for us to find security products. It saves us a lot of time in evaluating the products because we go right to the best in the market.

Another major challenge for CIOs is that more attacks are becoming organized crimes. Many of these attacks are launched from Eastern Europe and [by] street kids. It"s costing organizations a lot of money to deal with this kind of fraud. Spyware and bots are also getting nastier. I read an article about hackers who threatened a company for money or else they will launch an attack to bring down the site.

CWHK: How is the CIO role different in a security technology company?

GW: I"m no different [from] other CIOs. For example, we are currently planning to migrate our call management system. There are a couple of reasons for that: one is to potentially increase our revenue by ensuring customers are happy with our services, secondly is to do things more efficiently and effectively, to drive down expenses.

The other thing we do within RSA is that we act as an extension of the engineering department, specifically for the quality assurance group, as we test our products internally before [they"re] shipped to the customers. We can see how the products actually work to provide advice and raise problems we see to engineers. This is the unique value we see for the company. Many CIOs in technology companies would do the same as well.

My role, like a lot of CIOs, has changed over the years. It"s less about managing the infrastructure and more being a business partner. It"s actually the part of the job that I enjoy the most.

Any good security policy depends on three things, people, process and technology. The typical role of a CIO is to go out and get that technology. But what makes the difference between success and failure is hiring good strong people who understand the technology as well as policies and procedures.

CWHK: You have a background in business, before shifting sides to become an IT professional. How does that help your role as a CIO?

GW: With a finance and business background, I am familiar with managing budgets and spreadsheets. It also allows me to better understand the challenges of the CFO and CEO in meeting shareholders" and investors" needs. But regardless of the background, the person definitely needs good people skills to take up this position.

One of the most important aspects as a CIO is to build a personal rapport within the organization. Many CIOs have struggled to get things done and approved. With a good rapport, it is so much easier to get things done.

There is a trend of more business people taking up the CIO role. I"ve read research that shows 50 to 55 percent of CIOs come from a tech background and move into business, with only 25 percent having a pure IT background. A techie person needs to make that change or else they won"t be able to move up the ladder.

A Gartner report also shows the CIO"s role should focus more on core competence: to understand the business, spend more time and effort on security analysis and vendor management.

Since offerings from the vendors are becoming like a commodity, vendor management becomes an essential part of the CIO"s job. Just like at RSA, we have no more programmers and all our programming work is outsourced.

CWHK: What are the technology trends that you observe?

GW: The culture of compliance: whether for the healthcare industry or European data privacy laws, each region has specific laws and regulations that CIOs need to be aware of. This culture of compliance is forcing CIOs to take different approaches to address their information security problems.

When we went through the Y2K issue, we put in a lot of work to prepare for one single problem, but moved on after that. These compliance issues [form] a continuing trend of more and more compliance initiatives you have to deal with. If you take each one of them and deal independently, it"s not very efficient. So instead, you should put in a security framework, which allows you to comply with all the new initiatives.

The second major trend is mobility. There is an explosion of wireless access, converged devices, voice and data over WLAN. Business executives are seeking for access to corporate information from anywhere with multiple devices. That"s challenging many CIOs and CSOs to build a secure environment to support that demand.