Security, compliance come before collaboration

Vanguard is trying to balance regulatory compliance needs with its adoption of Web 2.0 tools

Enterprise 2.0 strategies are becoming more popular among companies today, but there are serious logistical and legal challenges along with the expected benefits of using social collaboration tools.

This is especially true for companies like Vanguard, a mutual fund with roughly 12,500 employees and US$1.3 trillion in assets under management, said Abha Kumar, principal in the information technology division, during a presentation at the Enterprise 2.0 conference in Boston this week.

Due to the nature of its business, Vanguard must contend with a wide variety of regulatory guidelines and compliance matters, with scrutiny coming from government agencies such as the U.S. Securities & Exchange Commission, private auditing firms and foreign regulators, she said. "We can never, ever let our clients' data get outside our four walls."

Therefore, historically, Vanguard's IT department has behaved quite conservatively, she said. "We tend to lock it down first and then open it up as the need arises."

She offered one example: Until recently, GPS capabilities on corporate BlackBerries were disabled. That didn't change until an executive called and asked for GPS to be turned on, as he was lost in Ireland, she said.

But despite these constraints, Vanguard has begun adopting Web 2.0-style tools, through a three-tier strategy focused on mobility, collaboration and "enriching" communications. Employees have responded enthusiastically, said Andrew Lazzaro, a Vanguard IT manager who co-presented with Kumar. "They're dying for it."

Still, the pace of progress has been deliberate. Vanguard only recently gained instant-messaging capabilities, because just like e-mails, it had to first figure out a way to save each message in a non-rewriteable format. The same goes for content produced by the company's emerging set of wikis and blogs.

Vanguard remains extremely conservative with regard to non-corporate social applications. While company users can access Vanguard's own Facebook page, they can't post messages to it or access any other pages on the site.

But "only so much can be done on the IT side" to ensure social tools are used in a secure and compliant manner, Lazzaro said.

Businesses have to work on a sound governance strategy before turning on such systems, as without one, they risk having "a real mess on [their] hands," Lazzaro said.

For example, Vanguard has created an array of collaboration sites for teams around the company. A manager is assigned to each site and held responsible for monitoring the content constantly to ensure compliance, Kumar said.

Users from a wide variety of departments should be heavily involved in the planning and development of any new social system, as they can provide valuable insights into whether the project is meeting regulatory guidelines, Lazzaro said.

Meanwhile, IT staffs need to consider the operational impact certain Web 2.0 tools could have, he said. "From day one, you've got to start thinking. Videoconferencing? What's that going to do to my internal bandwidth? Is that going to start bringing down my business applications?"

Looking ahead, Vanguard is planning to expand its use of collaboration sites and pursue "device independence," he added. "These social tools ought to work no matter the device employees are using."

It also plans to work on better integrating its range of social software. "As an IT shop we've been throwing puzzle pieces out there all over the place," he said. "We've got to bring these all together so they don't feel like stand-alone tools."

Chris Kanaracus covers enterprise software and general technology breaking news for The IDG News Service. Chris's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags complianceenterprise 2.0securitycollaboration

More about Andrew Corporation (Australia)FacebookIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Chris Kanaracus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts