Published: 10 Jan 2009
A PICTURESQUE TABLE SETTING may gleam a mix of polished silver and crystal, but it's nowhere near perfect without...
the right guest list. People make a party, and this particular table is adorned with ornate place cards pointing your invitees to their spots: internal audit to the right, HR and finance across the table, IT to the left. No, this isn't your boss' board meeting; it's the regular gathering of the information security steering committee, and it's the CISO who is writing out the invitations and setting the table.
Information security steering committees aren't a new concept, but they are popping up in more corporate settings and allowing security management to better facilitate the integration of security into business processes. If you're a CISO with internal, industry or federal compliance mandates, it's becoming increasingly difficult to do business without establishing such a body.
But be forewarned: these aren't foolproof exercises. Before your security steering committee has muscle, before it formulates policies, debates liability and risk, and manages compliance obligations, it needs a sense of formality built on a legion of legwork usually done by a security manager eager to set his own table.
SECURITY STEERING COMMITTEE BEST PRACTICES
It may be sacrilege to hold an administrative meeting in the city of Seattle without serving coffee, but University of Washington CISO Kirk Bailey cannot afford caffeinated distractions when it comes to the institution's Privacy Assurance and Systems Security Council. The PASS Council is the epitome of a successful and influential security steering committee within an enterprise, one with a long reach into important decision-making entities.
Besides, if someone really wants coffee, there's a Starbucks on every corner. The PASS Council is a chartered organization at UW, and has administrative authority, oversees system security and privacy assurance and is responsible for the university's risk and compliance strategy for system security and privacy.
It meets monthly, and is likely Bailey's most indispensible tool when it comes to risk mitigation, policy development and the execution of compliance-related activities.Among the 16 regular invitees (14 voting and two advisory) are what would be considered business-unit leaders in an education setting: an assistant VP of human resources; executive director of risk management; lab director, computer science and engineering; HIPAA compliance officer; associate vice provost of enterprise information services; a facility security officer; executive director of internal audit; the campus police chief; and an assistant Attorney General, UW Division of the AG's office.
"It's just been a wonderful benefit to have that regularly scheduled, officially chartered body to throw ideas and issues around," Bailey says. "It's just been a delightful forum, an enormous benefit. And not just that it is supporting an institutional security and riskcontrol program; it's a powerful and persuasive group for you to act as a CISO with."
By gathering these important institutional people, Bailey, who chairs the PASS Council, has a one-stop forum to air out legal, compliance or privacy issues as they pertain to the security of systems. Risks associated with new initiatives are identified and hashed out in committee meetings, and budget arguments are formulated all with the goal of developing a strategic plan for information security at UW. Overall, the visibility of security is elevated to unprecedented heights.
"The PASS Council serves to promote security in very advantageous ways, especially if you're doing it in language [business leaders] understand," Bailey says. "PASS helped me produce, as a product, a risk picture, a strategic plan associated with the risk picture, a budget associated with the strategic plan, and ongoing reporting to management with their approval and endorsement. It's hard for anybody not to listen to what I'm asking for when it represents the institutional risk officers behind it. How could you operate without it?"
It's crucial too to keep these meetings strategic and about mitigating risk to individual business units or the enterprise overall, otherwise interest and attendance will wane and the effectiveness of the group ends.
Failure is not an option
1. Get the right buy-in from security, executives and business leaders that they will participate.
2. Don't get hung up on titles. Look for those who are interested in and could evangelize security or act as a liaison between security and the business.
3. Educate your committee members on how to think about risk and how it applies to their business; in turn they'll be able to make useful decisions.
4. Stay on topic. Don't talk about spam, vulnerabilities or patching. Keep meetings strategic and think about how you can steer the risk appetite of an organization.
5. Bring metrics to the table. This can't be a status meeting; you need metrics to be able to answer questions and make decisions based on historical data.
6. Charter the committee. Get formal sign-off from executive management and formalize roles and responsibilities for committee members.
7. Keep membership consistent and meet regularly.
8. Set the agenda and send out materials in advance.
SOURCES: Khalid Kark, Forrester Research; Kirk Bailey, Timothy McKnight, Jerry Freese.
"Don't let it be a status or operational meeting.Make it strategic where senior-level people are able to make decisions based on information being shared with them," says Forrester Research principal analyst Khalid Kark. "What often can happen is that senior executives come in to the first few meetings and talk about security. But over the course of a few months, things die down, and they start sending representatives, and then their representatives send their representatives, and the effort is not at the level where it initially started. It ends up being a logistical or operational type of effort where you're either going through status or going through information that does not mean anything to anyone attending-it's either too high level or low level."
The PASS Council's natural intersection of business and security officials facilitates the development and processing of security or privacy policies. Decision makers can expedite funding or approval of policy changes or spending on new security projects knowing that the PASS Council and its wide-ranging representation has already endorsed the initiative.
University of Washington Privacy Assurance and Systems Security (PASS) Council
CHAIRED BY Kirk Bailey
MEETS every fourth Monday of the month
CHARTERED by the university
2 ADVISORY non-voting positions
MEMBERS include campus police chief; vice presidents or directors of UW Medicine, Health Sciences, Computer Science and Engineering, Research Information Services and Risk Management (Underwriting); CIO; HIPAA compliance officer; executive director of internal audit and others.
DELIVERABLES include information systems and data security strategic plan; privacy policies, standards, guidelines, risk assessment and risk management program; incident response program; support services for UW compliance requirements.
"This is a group of risk managers an institution would bring together to deal with a response anyway. Having them in place to do preventive discussions and formulate policy to mitigate the liability sets and understand compliance obligations is just powerful," Bailey says. "If an institution doesn't have one, it's missing an opportunity or you've overlooked a compliance requirement. If you're a security professional operating without such an entity, you're giving yourself a ton of work because you have to run around and talk to these people anyway."
Information security steering committees don't have to be strictly advisory. A powerful committee can also assist with incident response, and help minimize reputational risks and costs in the event of a breach. The UW PASS Council, for example, gave Bailey intervention authority to mitigate incidents with the blessing of the institution's risk managers, including the executive director sitting on the PASS Council who is the university's underwriter (UW is self-insuring and all risk questions have an immediate business interest, Bailey says).
"I get to move in without much argument because they know it's done with the consent of the risk manager, auditor and legal-it's hard for anyone to object to our involvement," Bailey says, adding that any complaints would eventually arrive at the desk of a senior manager who is likely associated with the council. "I know security pros are considered a little autocratic, but truth is, in a preemptive action, this council supports that need."
Bailey approaches incident mitigation and response as a service, arriving not only with his expertise, but with the necessary tools and forms required to fend off disaster and appropriately document it. Departments can use that documentation, for example, to make their case for budget changes to prevent future recurrences.
"If the PASS Council becomes involved, people trust it. If you're a department manager who has had a terrible breach, and you're looking at millions of dollars worth of losses and worried about reputation, if I knock at your door and say I'm here to take over this incident with your help, people are relieved," Bailey says. "(Public relations) is in place; we have legal opinions at the ready, risk underwriting ready to answer questions, all congealed into one quick-acting service. If it's planned well, I can't understand living without it."
Bailey says for a security steering committee to flourish it's important that the membership remain fluid and represent an institution's most important risk and administrative areas. Ensure that the committee's interactions meet the needs of its member business units because that helps support its acceptance and effectiveness as an institutional body. And, he says, don't be afraid to expand the group's responsibilities as chartered by providing services in areas that might seem out of its scope, especially in terms of IT policy development.
"If you want this to be well established, you have to dedicate time to it as a security professional. You've got to dedicate resources and energy to make this happen and keep it vital," Bailey says. "I invest an enormous amount of time in it to keep it growing and thriving."
Northrop Grumman, similar to UW, has a chartered information security steering committee that's been part of the fabric of the defense contractor's information security program for more than a decade. With a roster of internal heavyweights including information and industrial security, lines of business heads of security, as well as representatives of legal and human resources, Northrop Grumman's Corporate Security Council has authority over everything pertaining to information security from buyer contingency planning to investigative issues, says Timothy McKnight, vice president and CISO.
Northrop Grumman Corporate Security Council
CHAIRED BY Timothy McKnight
CHARTERED for more than 10 years
QUARTERLY meetings are face-to-face; monthly meetings are teleconferences
MEMBERS include information and industrial security, HR, legal and business unit heads of security.
OBJECTIVES Policy making and procurement
"We really drive these teams to execute and drive specific requirements across the company,"McKnight says. "We're pretty advanced compared to most corporations." How advanced? The structure is deep and complex, beginning with the Corporate Security Council at the top. Under the council is a core group of standing committees including international security, information security, contingency planning, program security, security technology, government liaisons and personnel security. Under each of those committees are integrated process teams that drive common requirements across the corporation and achieve concurrence from business units on policy and strategy.
"It is a policy-making body for the company," says McKnight, who estimates that 50 percent of its time is devoted to policy creation and maintenance. Further evidence of its importance to the enterprise: Northrop Grumman regularly evaluates the effectiveness and necessity of its internal councils, and the security council is one of 33 such bodies recognized company-wide.
McKnight explains that once the Corporate Security Council has signed off on an initiative, the process moves to the CIO Council for approval from the CIO and eventually business unit leaders.McKnight also relies on what he calls a customer advisory group, a collection of trusted leaders at the VP level who provide a reality check around security priorities.
"That's something I recommend to all my peers; that helps give you a third-party view on things and another check on what your investments are,"McKnight says.
Having the ear of influential decision makers helps push through initiatives that have traversed this chain of influencers with minimal resistance. "If we get to the point that we're presenting something at the sector level, they will ask if it has been reviewed and approved by the security or CIO councils," McKnight says. "Because they're the stakeholders for the company and they're communicating to lines of business, they're helping drive something that may be an enterprise effort." The Corporate Security Council isn't all about policy setting, but engagement on procurement as well.
"As a collective body, we're spending a significant amount of corporate dollars on security as a whole; a lot of time is spent with key suppliers trying to control, or drive down, costs or improve performance," McKnight says.
An important deliverable coming out of the council in the next 18 months is a smart card deployment that will provide common access to buildings and stronger logical access to systems. The coordination between industrial and information security on such a project is immense, from technology procurement all the way down to badge design.
"I can't imagine, without a body like this, that we would be finally at a point where we're all in agreement and pushing forward on a very large corporate-wide program to roll out this capability that will help us tremendously,"McKnight says.
"It's a good place to be."
NO CHARTER, NO PROBLEM
Not all security steering committees are chartered. American Electric Power of Columbus, Ohio, has an Executive Security Committee that is made up of senior executives from HR, legal and IT, as well as operations and government affairs; reliability officers; and those responsible for federal regulatory compliance and compliance with rigid industry standards set forth by NERC (North American Electric Reliability Corp.).
While the committee has a standing set of members and a regularly scheduled monthly meeting, it is an ad hoc organization, says Jerry Freese, director of enterprise information security and IT engineering security. Freese says the membership can change depending on the issues at hand and who is impacted in the organization.
"The idea of the Executive Security Committee was to provide full disclosure of security for the business side. We're very aware of the need for integration for security and business," Freese says. "We can mandate security all we like in a vacuum, but as most companies have found out, that usually meets with a lot of resistance. The business has to be involved in all decisions that are made."
Having business stakeholders at the table enables security to lay out all the risks to the concerned parties, and, more importantly, provides an opportunity for discourse on the subject.
American Electric Power Executive Security Committee
CHAIRED BY Jerry Freese
MONTHLY meetings with a fluid membership
COVERS security initiatives, compliance activities, and legislative and regulatory updates.
MEMBERSHIP includes HR, legal, finance, IT, government affairs representatives, reliability officers and compliance officers.
"The whole idea is to get whoever could be the decision maker on the business unit side apprised of what we're tying to do, what it means to them, what not doing it means to them from a risk perspective, giving them input from us, and asking them to provide feedback to us," Freese says.
"We want to provide full disclosure of all events on the security side."
With stringent NERC cybersecurity rules bearing down on organizations such as Freese's, bringing all sides to the table via a steering committee takes on greater importance than ever. Freese runs the monthly meetings; he sets the agenda, which runs the gamut from updates on major security initiatives to compliance activities that must be communicated to the enterprise's commercial operations units, as well as any legislative or regulatory updates. "It's quite a lot," Freese says.
The committee will be invaluable going forward, he adds, because of the new NERC mandates. NERC is demanding that utilities such AEP identify and protect critical infrastructure assets and ensure reliable operation of the bulk electric system.
"It's a brand new thing for the electric sector.We have to come up with a lot of security implementations that we hadn't really dealt with before. Some of these are fairly significant projects that cost significant dollars," Freese says. "These are the type of things we have to explain why they are needed. I have a head start because it's a required set of initiatives; nevertheless, we have to come up with a cost-effective way to do this."
Freese says security organizations will eventually have to concede and formulate some sort of steering committee, otherwise they'll be operating in a vacuum and eventually impede business. For example, having legal and HR already at the table goes a long way toward solving any potential difficulties having to do with discovery or NERC compliance around HR management systems.
"[A steering committee] does a great deal to enhance the credibility of security if it's done correctly. I think it shows there are optimum solutions to protect the business as well as the company's data and networks," Freese says.
"It doesn't have to be adversarial. I think we're a good example. We've evolved into an organization that trusts that business and security will mesh and will sustain each other. It does change relationships a great deal."