Pleasing Google’s Tech-Savvy Staff
Information Officer Finds Security in Gadget Freedom of Choice
By VAUHINI VARA
March 18, 2008; Page B6
http://online. wsj.com/article/ SB12057896145004 3169.html
How do you run the information- technology department at a company
whose employees are considered among the world’s most tech-savvy?
Douglas Merrill, Google Inc.’s chief information officer, is charged
with answering that question. His job is to give Google workers the
technology they need, and to keep them safe — without imposing too
many restrictions on how they do their job. So the 37-year-old has
taken an unorthodox approach.
Unlike many IT departments that try to control the technology their
workers use, Mr. Merrill’s group lets Google employees download
software on their own, choose between several types of computers and
operating systems, and use internal software built by the company’s
engineers. Lately, he has also spent time evangelizing to outside
clients about Google’s own enterprise-software products — such as
Google Apps, an enterprise version of Google’s Web-based services
including email, word processing and a calendar.
Mr. Merrill, who has surfer-length hair and follows a T-shirt dress
code, studied social and political organization at the University of
Tulsa in Tulsa, Okla., and then went on to earn master’s and doctorate
degrees in psychology from Princeton University. His education in IT
came largely from jobs as an information scientist at RAND Corp.,
senior manager at Price Waterhouse and senior vice president at
Charles Schwab & Co. He joined Google in late 2003.
We sat down with Mr. Merrill to talk about Google’s approach to IT. Excerpts:
The Wall Street Journal: What’s the structure of the IT organization at Google?
Mr. Merrill: We’re a decentralized technology organization, in that
almost everyone at Google is some type of technologist. At most
organizations, technology is done by one organization, and is very
locked-down and very standardized. You don’t have the freedom to do
anything. Google’s model is choice. We let employees choose from a
bunch of different machines and different operating systems, and [my
support group] supports all of them. It’s a little bit less
cost-efficient — but on the other hand, I get slightly more
productivity from my [Google’s] employees.
WSJ: How do you support all of those different options effectively?
Mr. Merrill: We offer a lot more self-service. For example, let’s say
you want a new application to do something. You could take your laptop
to a tech stop [areas in Google offices where workers can get
technical support], but you can also go to an internal Web site where
you download it and install the software. We allow all users to
download software for themselves.
WSJ: Isn’t that a security risk?
Mr. Merrill: The traditional security model is to try to tightly lock
down endpoints [like computers and smartphones themselves], and it
makes people sleep better at night, but it doesn’t actually give them
security. We put security into the infrastructure. We have antivirus
and antispyware running on people’s machines, but we also have those
things on our mail server. We have programs in our infrastructure to
watch for strange behavior. This means I don’t have to worry about the
endpoint as much. The traditional security model didn’t really work.
We had to find a new one.
WSJ: You depend in large part on open-source software or software
that’s built internally. What are some examples? What are the
Mr. Merrill: We do buy software where it makes sense to — for
example, we have a general ledger [accounting software] from Oracle;
Oracle did a good job. Where it makes more sense to buy, we’ll buy;
where it makes more sense to build our own, we’ll build. An example:
Our [customer-relations hip management] software is tightly integrated
with our ad system, so we had to build our own.
We also believe there should be competition — for instance, in
operating systems, because different operating systems do different
things well. We run search off of Linux. We run the Summer of Code
where we pay college students to work on open-source projects that
they think are useful.
WSJ: What’s driving the “consumerization” of tech in the enterprise,
where companies are borrowing tech ideas from the consumer Internet?
Mr. Merrill: Fifteen years ago, enterprise technology was
higher-quality than consumer technology. That’s not true anymore. It
used to be that you used enterprise technology because you wanted
uptime, security and speed. None of those things are as good in
enterprise software anymore [as they are in some consumer software].
The biggest thing to ask is, “When consumer software is useful, how
can I use it to get costs out of my environment? ”
Google Apps is hosted on my infrastructure, and [the Premier Edition]
costs roughly $50 a seat. You can go from an average of 50 megabytes
of [email] storage to 10 gigabytes and more. There’s better response
time, you can reach email from anywhere in the world, and it’s more
WSJ: When you make that pitch to other CIOs, what are they most skeptical about?
Mr. Merrill: When I talk to Fortune 100 CIOs, they want to understand,
“What is your security model? Is it really as reliable? What’s the
The answer is, I had to build this massive infrastructure to run
Google, so adding all the enterprise data isn’t a big deal. I already
had to build security standards because search logs are really
private. Very few [Google employees] have access to consumer data,
[and those who do] have to go through background checks. We have a
rich relationship with the security community — so when people find
problems, they tell us. We have more than 150 security engineers who
do nothing but security. We don’t have a security priesthood: Every
engineer is trained. We use automated tools that check every
We’re able to invest in information security in a way that most people
aren’t. We did it because of search. In some sense, Google Apps is
just a byproduct.