Prism doesn't have CIOs in a panic -- yet

But CIOs and other tech executives say the spying scandal underscores the need for strong corporate security measures

Revelations over the U.S. National Security Agency's Prism surveillance program have much of the general public in uproar, but in terms of the controversy's impact to enterprise IT, some CIOs have measured, albeit watchful, reactions.

"I don't see it as a problem for us," said Mike Zill, CIO of medical-products manufacturer CareFusion. "I don't see the government doing something to systematically damage our company or any company."

That said, CareFusion already has multiple "highly secure" systems in the company for protecting highly sensitive information, but those systems don't cover all of CareFusion's data and employees, Zill said. "The question is, do we push that to everybody? It's a question of the economics and the risk-to-reward [quotient]."

Only certain industries may need to worry, according to another IT professional.

"I think if we were some nuclear or medical company or something like that it would have been different, but the fact that we can tell you when Justin Timberlake is going on tour doesn't matter," said Ian Woodall, project manager and group IT at XL Video, a British company that provides large-scale video equipment for music concerts and festivals.

Many enterprises may be more concerned about industrial espionage than government spy agencies cracking their communications. But Prism should nonetheless serve as a clear wake-up call to CIOs and other IT executives, said Nick Selby, CEO of StreetCred Software and a risk management consultant who advises large organizations on industrial espionage and data breaches.

"If you take a look at what's already known about monitoring the public Internet, what you find is unencrypted email for decades has been entirely susceptible to in-transit copying, monitoring and surveillance," he said. "Most CIOs and most CSOs have not taken to heart the fact that it is not only possible your email will be intercepted and surveilled, it is likely. The value of encrypted communications has never before been so clearly outlined."

Still, Prism isn't going to spark "a major change in direction" at Toyota Motor Engineering and Manufacturing, North America, as the company is already "pretty high up that ladder of locking things down," said Tim Platt, vice president of information systems and information security. "Espionage is one of our larger concerns."

That said, the fallout from Prism "certainly adds weight to some of the considerations we've made in the past," he added. For example, in order to print or scan a document, employees must place their company badge on a reader, which logs the transaction, Platt said.

Toyota in general places strong emphasis on "what information is going outside of our walls, what the content of that is, and who could get at it," Platt added.

Platt also hinted at one potential benefit to CIOs resulting from the Prism revelations.

Security measures "cost money," he said. "Being able to point to the news that everybody's watching and say, 'that's what we're talking about,' that [simplifies] making business cases to executives."

The Prism scandal has shaken all of us, but perhaps mostly as individuals, according to Tony Soderlund, CIO at Salem Municipality in Sweden, which uses Google Apps.

To that end, CareFusion's Zill sees the potential for a post-Prism backlash against enterprises that use tracking tools, data mining, analytics and other technologies to profile customers, send targeted advertisements and, ultimately, sell more products and services.

"I don't want to be tracked," Zill said, citing the "digital leash" companies try to place on consumers. "It's exhausting."

In the wake of Prism, companies "should be prepared to be very clear about how they use customer and prospect information," said analyst Curt Monash of Monash Research. "This news makes the general populace antsier about privacy."

"My general approach to privacy issues is that it's inevitable that information will be passed around," Monash added. The key for enterprises is to be "responsible in its use and be seen to be responsible," he said.

(With reporting from Mikael Ricknas in London).

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies