This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
If you want to do business with Home Depot, you've got to get past information risk manager Tony Spurlin's team of engineers. Using comprehensive evaluation processes and his homegrown assessment framework, his team examines potential partners' cor- porate security posture. Partners that haven't nailed down their security don't connect to Home Depot.
How rigorous is your certification process? We have to provide an on-site assessment for our partners if they want to connect to us or use our data in any way. A team of engineers travels on site, and [the partner] goes through an interview, which is standardized and based on an information security framework I developed. It's a top-down, drilled down look at their corporate security posture, policies, technology solutions, and management and monitoring of security policies. Then, there's a final gap analysis to determine if they are in compliance with Home Depot policies.
Do you run into resistance from partners? If there are issues, we recommend remediation, and they must remediate before anything goes into production. Most realize the value-add this provides. We report to them a good snapshot of their information security operation. They tell us it's just like a Big Four audit, and they learn a lot from it. It's done at no charge; it's part of doing business. We take managing our brand and customer data very seriously.
What security demands do you make of partners? We demand
What is the return for Home Depot? The return is huge. We're an $83 billion company, so you can imagine the volume of business we do. The cost of sending staff on an assessment is less than 1/10th of a percent of that.
Was it an easy sell to upper management? It was not a tough sell; everybody jumped on board. We have a Wall of Shame in our office where we pin all the data-breach headlines as they happen. When an executive asks why we need to do this, we walk them by the wall.
Read the complete interview at searchsecurity.com/ismag
This was first published in May 2006