Creating a Balanced IT Portfolio

The CIO of the Financial Industry Regulatory Authority (FINRA) weighs the risk and return on cloud computing and other technology innovations that can help advance business goals.

Charlie Feld: As the private-sector regulator of securities brokers and dealers, how have you responded to the changes brought on by Wall Street consolidation, government intervention and the loss of investor confidence?

Marty Colburn: We write and enforce securities rules, and we regulate equity and fixed-income markets. What you see is a very dynamic environment, to say the least. Our market volumes have increased dramatically. Examiners have had to step up the requirement to look at the industry and our member firms. Having systems that can keep up has been critical.

To enable these services, IT takes a product management view very similar to what you would see in a technology company. We have product managers that sit in our business, and just as a product manager in a tech company would aggregate requirements with marketing and then figure out what products you take to market, they aggregate the requirements from the business working with technology and then figure out what enhancements to the portfolio or new technologies you'd bring to bear as the business problems change.


Read additional columns by Charlie Feld:

How Customer Focused Tech Keeps Airline's Revenue Aloft

How the United Kingdom Delivers Customer-Centric Government Services

J.C. Penney's Recession Investment Strategy

How Agile Development and Virtual Teams Help the Fed Set the Economy's Course


In the past few years, we've spent a lot of time investing in data warehouse appliance technology to be able to process enormous amounts of data that flow through our analytical engines. This was an innovative technology in 2005 when we adopted it.

We don't like to deploy emerging technologies too early. We think that there's a potential cost to support them. But where we know we have a business problem and we need to adopt some technologies that aren't necessarily available in a mature state, we have to invest and get those to a very good state quickly.

We looked at grid computing from a company called GigaSpaces, but they really relied upon high-end technologists to implement the technology. I looked at the risk of the vendor and the risk of technology, and I said that's probably not a bet we want to make.

We then looked at data warehouse appliance technology. Netezza at the time was the most mature. They were still in what I would call the innovator, early-adopter stage, but we thought it would be the best fit for us. We hired good architects and good technologists to build out that technology.

We've employed text mining technology. Our focus has been on technologies that enable us to look at structural issues within the markets and the products being sold. We look at anomalies, and we look at different data types and how we can make better decisions.

We've been looking at cloud computing; we don't find that to be mature. Most cloud providers don't have well-defined views of their architecture layers. Essentially, external clouds are treated as a black box of services. We believe they achieve economies of scale by running their services in virtualized environments, but we're concerned about reliability, availability, serviceability and security. As state data-privacy laws continue to require more investment in security, we believe cloud providers will need to demonstrate these protections are in place for consumers. Thus, we've adopted internal clouds that we can manage and control, and we continue to evaluate external clouds as they mature.

On the maintenance side, you're constantly checking to make sure that application is doing what it's supposed to do against its use cases and its requirements. The challenge you have when you have a portfolio as it ages is how do you ensure that your legacy portfolio continues to operate properly. We do independent verification and validation, looking at these applications and seeing if they're atrophied, and also looking at things like security compliance. That becomes one of the bigger issues as you look at the increasing number of privacy laws across states.

Charlie Feld: Many organizations are facing regulatory changes that are continuously evolving. How do you cope with that?

Marty Colburn: I think you have to have very good alignment. This is a generalization that may not be fair, but I think most companies that are waiting and reacting to changes don't have great alignment. As regulatory reform conversations are happening, I'm included in meetings as to how they may take shape and how they're going to affect us. Similarly, if there are going to be changes to existing rules, whether they're coming from the SEC or through our business, I'm involved in those conversations, as is my team.

Similar to tech companies, we don't just plan on a month-to-month basis; we have 18-month road maps that lay out everything we believe we need to do based on changes to the business and that business's technical regulatory compliance. We have a very good pipeline of work that can be adjusted based on things happening dynamically within the industry. Even in a fast-changing environment, as long as you have a good planning process and a good lens, you just have to go faster.

Charlie Feld: What is the ability of your broker-dealer members to consume some of these changes right now?

Marty Colburn: Anytime we look to change a rule to improve or increase regulation, we reach out to our member firms. We go through a process of letting them know what we're thinking and getting their input.

So we've determined technology implications along the way and worked with the firms on that. We have a number of different committee structures that allow us to get feedback and determine how we're going to address that both internally and then with our firms. It's very much a dialogue before we get into implementing the rules.

We have an industry technology advisory council that gives feedback on our technology strategies and the affect of our rules and technology on them. We have a constant dialogue with the technologists in the industry, comprised of both small, medium and large firms, to give me good feedback on where we should be making adjustments on technology.

It's my sense based on the conversations that I have with the industry that firms are starting to invest heavily in risk management, and I think that's a good thing. Risk management is one component of compliance.

A member of the CIO Hall of Fame, Charlie Feld retired from HP in 2008. In 2009, he relaunched The Feld Group, focused on IT leadership training and development.

Copyright © 2009 IDG Communications, Inc.

Watch out for these 6 IT management traps to avoid