This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
CIGNA makes business managers responsible for security.
As far as faces go, Pam Monahan's is hardly the typical expression of corporate security.
And as far as titles go, hers is way off too.
Or maybe it isn't.
Monahan is a senior project manager in the health care division of CIGNA, a worldwide health care benefits provider. She has no formal security training, and her current endeavor is a reorganization of the company's customer claims and call centers. But she and 75 of her peers from CIGNA's different business units are doing as much to establish a secure culture as any of the security pros.
Monahan is a new breed of security professional—someone CIGNA has dubbed an "information protection (IP) champion." She and those like her serve as conduits between the CISO's office and business managers, and symbolize the long-sought-after integration of security into a company's different lines of business.
Champions are part of an infrastructure of people that includes more than 50 information protection coordinators, who funnel their perspectives on how to best ingrain security messages and programs within different CIGNA divisions. They make security real as it applies to employees who, for example, process claims, service benefit plans and handle customer data, because they're the ones doing those jobs. The champions communicate in terms that apply to users, so security isn't a mandate from a faceless office,
For the enterprise, this management structure means that security is no longer a series of one-off projects, but rather part and parcel of the corporate culture.
"Previously, it felt like we had to prioritize things; it was either do security or get your business done. It was a Catch-22: I have to serve my customers, but I have to do these [security] things," Monahan says. "This integrated security approach doesn't put people in a situation where it's this or that; it's part of how we do our business."
A Paradigm Shift
Amy Bennett is also an official face of security at CIGNA and has the title to match—information protection officer. Bennett and Craig A. Shumard, VP of information protection, are the architects of CIGNA's revolutionary overhaul, which is part campaigning awareness and part crossing the cultural chasm.
Bennett is the epitome of CIGNA's security model, which began six years ago with the dissolution of traditional and inefficient division security offices. It's her job to mesh the different lines of business within CIGNA, learn their cultures and language, and adjust the security office's message accordingly. She does this by recruiting and molding IP champions and coordinators, who offer practical experience and insight into business processes, and guarantee that the message is imprinted on CIGNA's 27,000 employees.
"The first type of dialogue we have when folks are named IP coordinators or champions is talking about why this is important," Bennett says. "We talk about RFPs and persistency levels, and how they impact our bottom-line business in terms of our membership and financials. As soon as you start framing things from a customer's perspective and understanding how this directly impacts a company's success, you get buy-in, and then you can start having meaningful dialogue."
Yankee Group senior analyst Jim Slaby says that framing security messages from peers and immediate superiors is more effective than the more common method of a periodic pep talk from the CEO or CISO.
"[If it comes from an immediate superior,] it's not just some pain-in-the-rear thing IT wants you to do to make life complicated and difficult. This is just how we do business around here," Slaby says. "I agree that would be a more effective approach; I just haven't seen a lot of it yet."
Slaby says most messaging comes from security and IT operations, but C-level managers also spread the word.
"Pep talks are a cheap and effective way to do it," Slaby says. "It comes from the top-down during new employee meet-and-greets, for example, where he says, 'Oh, by the way, we're very serious about security as a business practice here; we're under a lot of scrutiny from regulatory agencies. Don't put me in an orange jump suit.' That's more of a common tactic."
This was first published in June 2005