Pleasing Google's Tech-Savvy Staff
Information Officer Finds Security in Gadget Freedom of Choice
How do you run the information-technology department at a company whose employees are considered among the world's most tech-savvy?
Douglas Merrill, Google Inc.'s chief information officer, is charged with answering that question. His job is to give Google workers the technology they need, and to keep them safe -- without imposing too many restrictions on how they do their job. So the 37-year-old has taken an unorthodox approach.
Unlike many IT departments that try to control the technology their workers use, Mr. Merrill's group lets Google employees download software on their own, choose between several types of computers and operating systems, and use internal software built by the company's engineers. Lately, he has also spent time evangelizing to outside clients about Google's own enterprise-software products -- such as Google Apps, an enterprise version of Google's Web-based services including email, word processing and a calendar.
Mr. Merrill, who has surfer-length hair and follows a T-shirt dress code, studied social and political organization at the University of Tulsa in Tulsa, Okla., and then went on to earn master's and doctorate degrees in psychology from Princeton University. His education in IT came largely from jobs as an information scientist at RAND Corp., senior manager at Price Waterhouse and senior vice president at Charles Schwab & Co. He joined Google in late 2003.
We sat down with Mr. Merrill to talk about Google's approach to IT. Excerpts:
The Wall Street Journal: What's the structure of the IT organization at Google?
Mr. Merrill: We're a decentralized technology organization, in that almost everyone at Google is some type of technologist. At most organizations, technology is done by one organization, and is very locked-down and very standardized. You don't have the freedom to do anything. Google's model is choice. We let employees choose from a bunch of different machines and different operating systems, and [my support group] supports all of them. It's a little bit less cost-efficient -- but on the other hand, I get slightly more productivity from my [Google's] employees.
WSJ: How do you support all of those different options effectively?
Mr. Merrill: We offer a lot more self-service. For example, let's say you want a new application to do something. You could take your laptop to a tech stop [areas in Google offices where workers can get technical support], but you can also go to an internal Web site where you download it and install the software. We allow all users to download software for themselves.
WSJ: Isn't that a security risk?
Mr. Merrill: The traditional security model is to try to tightly lock down endpoints [like computers and smartphones themselves], and it makes people sleep better at night, but it doesn't actually give them security. We put security into the infrastructure. We have antivirus and antispyware running on people's machines, but we also have those things on our mail server. We have programs in our infrastructure to watch for strange behavior. This means I don't have to worry about the endpoint as much. The traditional security model didn't really work. We had to find a new one.
WSJ: You depend in large part on open-source software or software that's built internally. What are some examples? What are the benefits?
Mr. Merrill: We do buy software where it makes sense to -- for example, we have a general ledger [accounting software] from Oracle; Oracle did a good job. Where it makes more sense to buy, we'll buy; where it makes more sense to build our own, we'll build. An example: Our [customer-relationship management] software is tightly integrated with our ad system, so we had to build our own.
We also believe there should be competition -- for instance, in operating systems, because different operating systems do different things well. We run search off of Linux. We run the Summer of Code where we pay college students to work on open-source projects that they think are useful.
WSJ: What's driving the "consumerization" of tech in the enterprise, where companies are borrowing tech ideas from the consumer Internet?
Mr. Merrill: Fifteen years ago, enterprise technology was higher-quality than consumer technology. That's not true anymore. It used to be that you used enterprise technology because you wanted uptime, security and speed. None of those things are as good in enterprise software anymore [as they are in some consumer software]. The biggest thing to ask is, "When consumer software is useful, how can I use it to get costs out of my environment?"
Google Apps is hosted on my infrastructure, and [the Premier Edition] costs roughly $50 a seat. You can go from an average of 50 megabytes of [email] storage to 10 gigabytes and more. There's better response time, you can reach email from anywhere in the world, and it's more financially effective.
WSJ: When you make that pitch to other CIOs, what are they most skeptical about?
Mr. Merrill: When I talk to Fortune 100 CIOs, they want to understand, "What is your security model? Is it really as reliable? What's the catch?"
The answer is, I had to build this massive infrastructure to run Google, so adding all the enterprise data isn't a big deal. I already had to build security standards because search logs are really private. Very few [Google employees] have access to consumer data, [and those who do] have to go through background checks. We have a rich relationship with the security community -- so when people find problems, they tell us. We have more than 150 security engineers who do nothing but security. We don't have a security priesthood: Every engineer is trained. We use automated tools that check every engineer's code.
We're able to invest in information security in a way that most people aren't. We did it because of search. In some sense, Google Apps is just a byproduct.
By Vauhini Vara
Wall Street Journal; March 18, 2008
