Pfizer’s move to integrated ID management came with more than a few hard-won lessons. For CIOs contemplating
ID management overhauls or smart card projects, Scott Potter,
Pfizer’s senior director for worldwide business technology,
and Leslie Holbrook, director for worldwide business technology,
have five key suggestions.
1. Understand your business case, cold. “This is the only
bleeding-edge technology project [that I’ve worked on] that I felt
had an iron-clad business case,” Holbrook says. “We had a hard
business reason to push this.”
2. Build “as flexible a platform as you can afford,” Holbrook
says. Don’t skimp on memory or chips. Pfizer is seeing the
ability to add Java applets to its cards pay off—for example,
with a new biometrics application, she says. “Blow it out,” she
says, meaning leave room on the smart cards for unanticipated uses.
You don’t want to have to go out and redeploy cards after a
3. Leave plenty of time to craft your policies around
certificates and passwords. Pfizer had to deal with a multitude of
questions around passwords, reset times and the like. The
technology was ready before the policy. “Our digital signature
policy had about 100 authors,” Holbrook says. “I’m not sure how
long it is but it’s a sure cure for insomnia.” You’ll also have to
decide who’ll own the policy when it’s done, and it may not have a
natural home, she adds. At Pfizer, human resources, risk management
and internal audit groups own the policy.
4. Strike “a tight partnership with legal from the start,”
Holbrook says. “It’s really crucial.” Also, bring in outside help
to give your IT and legal staff advice on the bleeding-edge issues.
“We were able to tap into some consulting resources,” Holbrook
says, to gain people with experience with the financial and legal
issues relating to digital credentials. In one example, Pfizer had
to confirm precisely what kinds of digital signature policies need
to be attached to its lab research notebooks.
5. Make sure the IT people on the project are flexible. “Being
on the bleeding edge always hurts a little,” Holbrook says. “You
need a team that can roll with the punches. There’s no solution for
this. There’s no standard API. It’s just not standard development