This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
"I get to move in without much argument because they know it's done with the consent of the risk manager, auditor and legal-it's hard for anyone to object to our involvement," Bailey says, adding that any complaints would eventually arrive at the desk of a senior manager who is likely associated with the council. "I know security pros are considered a little autocratic, but truth is, in a preemptive action, this council supports that need."
Bailey approaches incident mitigation and response as a service, arriving not only with his expertise, but with the necessary tools and forms required to fend off disaster and appropriately document it. Departments can use that documentation, for example, to make their case for budget changes to prevent future recurrences.
"If the PASS Council becomes involved, people trust it. If you're a department manager who has had a terrible breach, and you're looking at millions of dollars worth of losses and worried about reputation, if I knock at your door and say I'm here to take over this incident with your help, people are relieved," Bailey says. "(Public relations) is in place; we have legal opinions at the ready, risk underwriting ready to answer questions, all congealed into one quick-acting service. If it's planned well, I can't understand living without it."
Bailey says for a security steering committee to flourish it's important that the membership remain fluid and represent an institution's most important risk
and administrative areas. Ensure that the committee's
interactions meet the needs of its member
business units because that helps support its acceptance
and effectiveness as an institutional body. And,
he says, don't be afraid to expand the group's responsibilities
as chartered by providing services in areas
that might seem out of its scope, especially in terms
of IT policy development.
"If you want this to be well established, you
have to dedicate time to it as a security professional.
You've got to dedicate resources and energy to make
this happen and keep it vital," Bailey says. "I invest an
enormous amount of time in it to keep it growing
AUTHORITATIVE ROSTER This was first published in January 2009
Northrop Grumman, similar to UW, has a chartered information security steering committee that's been part of the fabric of the defense contractor's information security program for more than a decade. With a roster of internal heavyweights including information and industrial security, lines of business heads of security, as well as representatives of legal and human resources, Northrop Grumman's Corporate Security Council has authority over everything pertaining to information security from buyer contingency planning to investigative issues, says Timothy McKnight, vice president and CISO.
Northrop Grumman Corporate Security Council
CHAIRED BY Timothy McKnight
CHARTERED for more than 10 years
QUARTERLY meetings are face-to-face; monthly meetings are teleconferences
MEMBERS include information and industrial security, HR, legal and business unit heads of security.
OBJECTIVES Policy making and procurement
"If you want this to be well established, you have to dedicate time to it as a security professional. You've got to dedicate resources and energy to make this happen and keep it vital," Bailey says. "I invest an enormous amount of time in it to keep it growing and thriving."
This was first published in January 2009