|
"We really drive these teams to execute and drive
specific requirements across the company,"McKnight
says. "We're pretty advanced compared to most corporations."
How advanced? The structure is deep and complex,
beginning with the Corporate Security Council
at the top. Under the council is a core group of
standing committees including international security,
information security, contingency planning,
program security, security technology, government
liaisons and personnel security. Under each of those
committees are integrated process teams that drive
common requirements across the corporation and
achieve concurrence from business units on policy
and strategy.
"It is a policy-making body for the company," says
McKnight, who estimates that 50 percent of its time
is devoted to policy creation and maintenance.
Further evidence of its importance to the enterprise:
Northrop Grumman regularly evaluates the effectiveness
and necessity of its internal councils, and the
security council is one of 33 such bodies recognized
company-wide.
McKnight explains that once the
Corporate Security Council has signed
off on an initiative, the process moves
to the CIO Council for approval from
the CIO and eventually business unit
leaders.McKnight also relies on what
he calls a customer advisory group,
a collection of trusted leaders at the
VP level who provide a reality check
around security priorities.
"That's something I recommend
to all my peers; that helps give you a third-party view
on things and another check on what your investments
are,"McKnight says.
Having the ear of influential decision makers
helps push through initiatives that have traversed
this chain of influencers with minimal resistance.
"If we get to the point that we're presenting
something at the sector level, they will ask if it
has been reviewed and approved by the security or
CIO councils," McKnight says. ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
"Because they're the
stakeholders for the company and they're communicating
to lines of business, they're helping drive
something that may be an enterprise effort."
The Corporate Security Council isn't all about
policy setting, but engagement on procurement as
well.
"As a collective body, we're spending a significant
amount of corporate dollars on security as a whole;
a lot of time is spent with key suppliers trying to
control, or drive down, costs or improve performance,"
McKnight says.
An important deliverable coming out of the
council in the next 18 months is a smart card deployment
that will provide common access to buildings
and stronger logical access to systems. The coordination
between industrial and information security on
such a project is immense, from technology procurement
all the way down to badge design.
"I can't imagine, without a body like this, that we
would be finally at a point where we're all in agreement
and pushing forward on a very large corporate-wide program to roll out this capability that will
help us tremendously,"McKnight says.
"It's a good place to be."
NO CHARTER, NO PROBLEM
Not all security steering committees are chartered.
American Electric Power of Columbus, Ohio, has
an Executive Security Committee that is made up
of senior executives from HR, legal and IT, as well
as operations and government affairs; reliability
officers; and those responsible for federal regulatory
compliance and compliance with rigid industry
standards set forth by NERC (North American
Electric Reliability Corp.).
While the committee has a standing set of members
and a regularly scheduled monthly meeting, it
is an ad hoc organization, says Jerry Freese, director
of enterprise information security and IT engineering
security. Freese says the membership can change
depending on the issues at hand and who is impacted
in the organization.
|
 |
|
