I recently sat down with Anthony Sica, Executive Director of Information Technology at Shiseido America, to get his perspectives on the changing threat landscape and the evolving role of those in charge of Information Technology. For the past six years, Tony has been in charge of infrastructure, end user computing, data centers, and compliance for Shiseido, one of the world’s oldest cosmetic companies.

Q. How has your role evolved over the past six years?
I’m focusing less and less on operational issues such as patching PCs and more on strategic, visionary initiatives, specifically ones focused on making sure we’re achieving compliance without overburdening our department. Increasingly, I’m focusing on compliance assessments and methodologies. Because we produce cosmetics, the most important compliance regulations are those defined by the FDA, as well as the Japanese version of The Sarbanes-Oxley Act – J-SOX. And because we are an OEM for some pharmaceutical companies, we have to make sure our FDA compliance is posted and is acceptable to pharmaceuticals. So we have to be a lot more visionary when it comes to applying our methodologies.

Q. A Deloitte article entitled “What’s keeping CIOs Awake at night?” states that the role of a CIO has changed from protecting networks to drive business value. Do you agree? What’s driving this change?
In the past, data exchange with our partners – such as Macy’s – occurred in a more closed environment, relying upon value-added networks, or VANs. During the past two years, we’re migrated to Internet-based EDI. While we use encryption, EDI still introduces more security concerns than when we were using VANs.
That said, our partners’ focus has shifted away from network protection. One of the main reasons is that our partners’ business challenges have become more complex and dynamic in nature. For example, some of our partners are looking to cut costs and streamline efficiencies in the face of the economic downturn. From an IT perspective, they look to us to help them mitigate issues that might negatively impact their business, such as changes in their business and in the economy. Oftentimes, they can’t pinpoint the problem, so they need us to both identify the problem and provide a dynamic solution that adapts to their particular situation.

Q.    How should senior-level executives and CIOs adapt to the changing threat landscape?
First of all, you have to recognize that your idea of an adequate security methodology might not be the same as someone else’s. That means you have to be more of an auditor, and adapt to the situation at hand. It’s critical that you not only understand your business and technology, but your partners’ and clients’ business and technology. Then you need to come to an agreement with these other parties on the best methodology and minimum requirements. A weak methodology can lead to security breaches, so you need to assess those risks and determine where to set up firewalls and other security measures. In this economy, all businesses have to worry about what their partners and clients are doing.

Q.    Do you have a seat at the executive table? Why is this important in building strategy?
I report to the VP of IT, who has a seat at the executive table. For certain projects, I sit there too. The first reason this is important is because you get champions who sponsor your ideas and initiatives and can sell the vision. Without a sponsor, you’ll fall flat. Having a vision is just half the game. You need a partnership between business and IT to turn that vision into reality.

The second reason is that this seat at the table gives you an opportunity to make the business aware of risks and how you plan to mitigate them. It’s hard for the business to achieve these goals unless IT is at the table.

Q.    What keeps you awake at night? With all the new technologies, has your job gotten better?
For the past two years, I’ve been more involved with IT strategy. We’re trying to streamline the business and cut inefficient systems, which turns into dollar savings. So I’m concerned with trying to achieve the same goals with a smaller budget. New technology makes it easier to address a specific issue. In other words, I can turn to best-of-breed tools instead of an overarching solution to keep the environment secure at a lower price.

Q. What recommendations do you have for other IT executives?

1.    Pinpoint your top security issues, assess each problem individually, and look for solutions that best address each problem instead of investing in an overall framework that you won’t fully utilize.

2.    It takes longer to find the right fit when you’re choosing a best-of-breed solution so it’s key to work with seasoned professionals who can tap into their experience and networks.

3.    Wherever possible, demonstrate IT’s value as a revenue generator or profit center. That might mean you actually show that IT is revenue neutral. The key is to avoid being categorized as an expense and instead show value from a financial perspective.

4.    Dig deep to identify your contributions and fly your own flag.