Q&A: Lenovo’s CIO on Laptop Security

The theft of a U.S. Department of Veterans Affairs employee’s laptop containing the names, birthdates and Social Security numbers of more than 26.5 million individuals underscores a pressing business problem: protecting sensitive information about customers or business activities, and making sure it’s not at risk of being lost or stolen on a laptop computer.

That’s an interesting issue for Lenovo Group, the China-based computer maker that last year acquired IBM’s personal-computer business. Lenovo’s technology organization itself is responsible for managing 15,000 laptops. Baseline executive editor Anna Maria Virzi asked CIO Steven Bandrowczak about his company’s initiatives to safeguard customer and other company information.

Q: How can you as CIO prevent Lenovo from experiencing what happened to the Department of Veterans Affairs?

A: This is not a device issue. This is a data issue. It’s about: How do you handle access and governance? How do you handle the question of who can take data outside your company? That’s a data issue. That’s not a technology issue.

Q: Would you, as CIO, get involved in that discussion?

A: Absolutely.

Q: Who else is involved?

A: The business partners.

Q: How do you monitor access?

A: It depends on the data, and the governance as to who gets access to a customer database or record. Why does a salesperson in Minneapolis have to have information about someone in Italy? It’s the governance of the data, and making sure that people have enough data to do their job. But not more data than they need to have.

Q: How is that monitored at Lenovo? Is it reviewed on an ongoing basis?

A: It’s a variety of things. When you get a job profile, that profile dictates what records you have access to. Your log-on tells us something about who you are, your job profile, what information you need to do your job. Therefore, that dictates the data elements and the systems you get access to.

Q: What happens when someone moves to another job within the company?

A: When you change a job, you have a core of HR [human-resources] systems that says, “Tim was a salesperson; now he’s a global operations person.” When his job changes, his user ID should change as well as what systems and data he can access.

Q: Is that the job of human resources or the business manager?

A: It’s a business management function that says what is the data and the systems that the role needs to have access to. It then becomes an HR issue in terms of the execution; HR is in the middle of the process change, whether it’s a payroll record that’s changing or it’s a job status that changes.

Q: Who informs I.T. about the need for the change?

A: HR I.T. is reporting to the HR function, but they have to be closely aligned with the overall I.T. strategy.

NEXT: Preventing Data Theft