This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
Listening and Learning
Seeking more interaction and sophistication to its security presence inside CIGNA, Shumard's group decided to blow up the DSO-ISO model early last year. "We now were able to move to next level of engaging the experts to the experts. We didn't need as much of that middle-liaison type of coaching or interface as was needed in the past," Shumard says. "We had developed on both sides—business and tech—a level of sophistication to get the right people together to work in a more efficient manner."
The impetus for IP champions and coordinators came from feedback generated during security focus groups. Cross sections of employees made up the groups, whose purpose it was to garner the level of security awareness present at CIGNA. But the meeting's real message was loud and clear: Users understood that security was important to CIGNA's success, but to make it relevant to their day-to-day jobs, that message had to come from their boss, rather than a bulk e-mail from the security office.
"If you can help ingrain that process with normal management and organizational processes, it means a lot more to us and shows that our bosses have bought in, and we feel more comfortable," Shumard says. "That's why we looked at the IP champions and coordinators as actual people in the business whose main job is doing the business, but that they would be the ones who would really be the advocates and facilitators
Information protection officers were centralized under Shumard's office, and champions and coordinators were recruited and appointed within CIGNA's business and technology operations.
Now that experts are talking to experts, Shumard and Bennett can get granular with benchmarks and scorecards, and obtain a tighter analysis of how secure the company is.
"You can sit in your ivory tower and push policies and procedures all you want. But knowing how it works in the real world—dealing with the people, and understanding their issues and having empathy for them—is the real benefit," Shumard says. "While we've had a motto of 'Information protection is everyone's responsibility,' it's not until we started to build on this newer model that we really started to feel it."
This was first published in June 2005