Interview: BAE Systems head of strategy and architecture, Malcolm Carrie

Serving the IT needs of a large and expanding 'federated' user base that handles highly classified data can sometimes mean going against industry orthodoxies

Many IT departments are looking to standardise tools and systems across the enterprise, in a quest for increased simplicity and efficiency.

However, standardisation is not an approach that would suit the unusual business structure at defence contractor BAE Systems, according to Malcom Carrie, the firm’s head of strategy and architecture. BAE Systems is made up of several interconnected divisions that operate under the same banner but maintain a degree of autonomy, under what Carrie describes as a “federated system”.

“IT people have a fetish about standardisation,” says Carrie. “But I don’t think that the important question is around standardisation, but about whether systems work, and you can easily collaborate and share information without wall-to-wall standards.”

Basically, the cost in time and effort required to create and maintain standards within BAE’s federated system would be too great when set against the benefits from such a system. As it stands, each division makes its own IT decisions.

In addition, the firm works at least as much with its external supply chain partners as with its own divisions, which would further complicate any attempt to standardise.

However, Carrie acknowledges that the fragmentation experienced as a result of a non-standard approach can be difficult to manage.

Using business intelligence (BI) as an example, Carrie explains that many people in the firm want access to a BI tool, but either can’t describe what they want, or can only describe their need in terms of a specific product.

“They come to me and say ‘I must have Cognos, or I must have Business Objects’. I ask what they are going to do with that, and the answer is ‘I don’t know’.”

The BI market is fragmented and diverse, with a large number of vendors to choose from, and an even larger number of add-ons and plug-ins available to augment their products.

“There are interoperability and efficiency issues around BI because the market is immature. But frankly so is our demand.”

BAE currently uses both Cognos and Business Objects, but Carrie adds that the group uses just about every tool currently available somewhere in its organisation. However, despite this fragmentation he has no desire to force a standard across the group because he sees the tool as less important than the information itself.

The group’s use of BI has grown through a process of evolution. Carrie explains that the company has adopted a bottom-up approach, meaning it hasn’t been driven by any form of corporate mandate.

In addition, BAE Systems has been very acquisitive in the past, again making business standardisation difficult.

“As an organisation we’re relatively acquisitive, we buy people and successful companies. Generally speaking, we don’t want to rip the guts out of successful companies that we’ve acquired. If they’ve already got a BI infrastructure, for example, then we’re more inclined to leave that in situ than tear it out.”

But that isn’t to say that the organisation will go out of its way to avoid creating standards, rather that it’s choosy about what it seeks to standardise. Carrie’s approach is to find commonalities, areas of business that are more generic, then harmonise those.

“Does a purchase order from an aircraft business look different from a purchase order from a security and intelligence business? Is that different from a purchase order from a submarine business? It is areas like these that we are trying to harmonise to reduce wasteful duplication,” he says.

Moving into information

BAE Systems is widely regarded as a military hardware company with products including jets, submarines and aircraft carriers. But Carrie sees the group increasingly moving into the information arena.

“We are moving into ‘information’. That’s partly because intelligence and security is all about information. And it’s partly because our products are increasingly computers with wings or tracks and a bit of camouflage. The IT content in what we sell has increased tremendously in the last 30 years.”

Carrie says many of BAE Systems IT staff are well qualified to provide customers with information services.

“These guys have been through the ITIL schools [ITIL trains staff in service management], they’ve got the practitioner badges,” says Carrie.

Consumerisation

The term “consumerisation of IT” describes a trend in which companies allow staff to access the corporate network on their own devices. The advantage to the enterprise is that it saves money on purchasing and supporting hardware, and the employee benefits by using their preferred tool.

But many organisations cite security fears as a reason to resist this trend. They argue that if you don’t manage the device, it’s far harder to secure the corporate network. As a defence contractor, security is paramount for BAE Systems.

Interview: BAE Systems head of strategy and architecture, Malcolm Carrie

Serving the IT needs of a large and expanding 'federated' user base that handles highly classified data can sometimes mean going against industry orthodoxies

The company runs networks and IT systems that are rated as “classified” by the governments it does business with. This means that it has achieved a certain security rating, and includes a set of rules about what can and can’t be done with those systems.

“We’ve all grown up with network perimeter boundaries, a guns, gates and guards approach to security. It’s clear that that doesn’t really work any longer, there are huge limits about how a perimeter-based security system can operate. And consumerisation completely destroys the perimeter.”

These government rules dictate that personally owned devices will not be allowed to access data in classified areas. But this does not rule out the entire corporate network, it’s not all classified.

“Elsewhere within the company consumer devices are used to access the network. But there are also legal issues around this. If I have my personally owned iPad and I have the company’s information on it, what happens when I leave, or when I lose it? Do I give the company rights to put some sort of security software with kill packets on my personal device?”

The firm allows iPads and iPhones to access the corporate network in the north American divisions of BAE, although staff there have company-supplied devices with software installed allowing for remote control should something go awry. This means the company can wipe all corporate data from the device if it is lost or stolen.

However, these devices are not allowed in the UK.

“The only handheld device that we allow to connect to the network in the UK is the BlackBerry, and these are company-owned too. It’s primarily to do with the legality of protecting information.”

Carrie explains that the distinction between the UK and the US is partly down to the classification of the IT infrastructure. The vast majority of the IT infrastructure in the UK is classified, and the vast majority in the US is unclassified.

It’s also partly a cultural distinction.

“There’s a slightly less risk averse, IT friendly culture in the US, compared with the UK,” Carrie admits. “But overall these issues are behavioural, cultural and legal as opposed to technology issues.”

Cloud

He also explains that there are many legal issues around cloud use. “How do I know where my data is, if I need to impose a legal hold, can I do that? If somebody else sharing this cloud is impounded, what happens to my data?

“Vendors say don’t worry about it, everything can be encrypted, but what happens if there’s a legal obligation to decrypt and pass information to some agency?”

BAE Systems is export controlled by the governments who make up its customers. The legal problem around the cloud arises in the differences in rules between those governments.

For example, the UK defines export by a geographical boundary. But US law defines export by the nationality of the recipient. So if you sit in a meeting room in your office and share information with someone from France, according to US law you have exported it.

And there are further complications. Carrie paints a scenario in which he places some export controlled information in a sealed envelope, flies to Washington, then returns without opening that envelope.

“Did I export it? Some legal advice says yes I did. That is a good analogy for the cloud because it describes the practice of hosting information.”

Despite the legal issues the company faces with cloud, it does use various private hosting systems in UK, Europe and the US, some of which are multi-tenant. However, it does not use public offerings such as Amazon, or Google’s cloud products.