This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
Change Takes Time
Enterprises, like ships, don't turn on a dime. Changing corporate culture, especially about security, takes time, says Burton Group principal analyst Fred Cohen.
"If [awareness programs] don't have integration with security people, it's a bad thing; people could be taught the wrong thing," Cohen says. "Programs don't have to be owned by the security organization, but they should be part of it."
Monahan was CIGNA's first IP champion, and already she and the IP coordinators she works with have helped influence important changes, like the use of unique ID numbers so that customers' profiles are no longer associated with their Social Security numbers. Projects are rolled out with a greater understanding of security implications because of the improved communication facilitated by the presence of coordinators.
"Through these coordinators, we get a lot more information coming back up, we understand it, and then we put the plan in place," Monahan says. "It's leading to these changes sticking better; we're getting more traction with them because there's communication down and up."
Bennett, meanwhile, gathers data on what communication and awareness techniques, like lunch-and-learn sessions or simple e-mail reminders, are most effective, and which eventually become standard operating procedure.
"(IP coordinators) have their jobs, but they also work with us to give us that insight into what
Having people fluent in security sitting among the masses is a literal extension of the security office that wasn't possible six years ago, when Shumard took over as the de facto CISO of CIGNA.
In 1999, each of CIGNA's divisions had a security officer who was a liaison to operating and technology areas of the company. The officers developed policies and worked with different teams to protect the company's digital assets. But HIPAA was looming, and the realization was settling in that the company didn't have the resources to tackle the regulation's privacy and security requirements.
"They were neither fish nor fowl. They were neither the IP gurus, nor were they aligned in the business," Shumard says of the old security structure. "There were a lot of disconnects, which didn't work."
The first incarnation of the current model was the installation of both division and information security officers to establish a presence in the business and technology sides of the house. Information security officers were technology people who understood security, and division security officers were business people who, for the most part, understood security—which Shumard says was a challenge to find. Depending on the line of business, the number of individuals in these positions varied.
The faces, skill sets and demands were changing at CIGNA. Simultaneously, Shumard established six different groups of functional security experts versed in engineering and standards, vulnerability and risk management, incident response and business continuity, policy awareness and compliance, operations and privacy. Each group focused on assessing the risks in each of CIGNA's business processes, and developing benchmarks and scorecards to measure the growth and success of security initiatives.
This model was the standard at CIGNA from 2000 to 2004.
"In '99, when we started, [our scores] were very low," Shumard says. "We just got our benchmarking scores for '04, and while overall we're not best-in-class—that's not what we aspire to be; we aspire to be above a level of due care in all 19 categories [as defined by a Stanford Research Institute benchmark] and to make sure we're solid in all of the areas. In six of the 19, we were best in class, and in a number of the others, we were pretty close. We're pretty pleased with the progression."
This was first published in June 2005