Published: 24 Jun 2005
CIGNA makes business managers responsible for security.
As far as faces go, Pam Monahan's is hardly the typical expression of corporate security.
And as far as titles go, hers is way off too.
Or maybe it isn't.
Monahan is a senior project manager in the health care division of CIGNA, a worldwide health care benefits provider. She has no formal security training, and her current endeavor is a reorganization of the company's customer claims and call centers. But she and 75 of her peers from CIGNA's different business units are doing as much to establish a secure culture as any of the security pros.
Monahan is a new breed of security professional—someone CIGNA has dubbed an "information protection (IP) champion." She and those like her serve as conduits between the CISO's office and business managers, and symbolize the long-sought-after integration of security into a company's different lines of business.
Champions are part of an infrastructure of people that includes more than 50 information protection coordinators, who funnel their perspectives on how to best ingrain security messages and programs within different CIGNA divisions. They make security real as it applies to employees who, for example, process claims, service benefit plans and handle customer data, because they're the ones doing those jobs. The champions communicate in terms that apply to users, so security isn't a mandate from a faceless office, but something that has quietly morphed into a part of their job description.
For the enterprise, this management structure means that security is no longer a series of one-off projects, but rather part and parcel of the corporate culture.
"Previously, it felt like we had to prioritize things; it was either do security or get your business done. It was a Catch-22: I have to serve my customers, but I have to do these [security] things," Monahan says. "This integrated security approach doesn't put people in a situation where it's this or that; it's part of how we do our business."
A Paradigm Shift
Amy Bennett is also an official face of security at CIGNA and has the title to match—information protection officer. Bennett and Craig A. Shumard, VP of information protection, are the architects of CIGNA's revolutionary overhaul, which is part campaigning awareness and part crossing the cultural chasm.
Bennett is the epitome of CIGNA's security model, which began six years ago with the dissolution of traditional and inefficient division security offices. It's her job to mesh the different lines of business within CIGNA, learn their cultures and language, and adjust the security office's message accordingly. She does this by recruiting and molding IP champions and coordinators, who offer practical experience and insight into business processes, and guarantee that the message is imprinted on CIGNA's 27,000 employees.
"The first type of dialogue we have when folks are named IP coordinators or champions is talking about why this is important," Bennett says. "We talk about RFPs and persistency levels, and how they impact our bottom-line business in terms of our membership and financials. As soon as you start framing things from a customer's perspective and understanding how this directly impacts a company's success, you get buy-in, and then you can start having meaningful dialogue."
Yankee Group senior analyst Jim Slaby says that framing security messages from peers and immediate superiors is more effective than the more common method of a periodic pep talk from the CEO or CISO.
"[If it comes from an immediate superior,] it's not just some pain-in-the-rear thing IT wants you to do to make life complicated and difficult. This is just how we do business around here," Slaby says. "I agree that would be a more effective approach; I just haven't seen a lot of it yet."
Slaby says most messaging comes from security and IT operations, but C-level managers also spread the word.
"Pep talks are a cheap and effective way to do it," Slaby says. "It comes from the top-down during new employee meet-and-greets, for example, where he says, 'Oh, by the way, we're very serious about security as a business practice here; we're under a lot of scrutiny from regulatory agencies. Don't put me in an orange jump suit.' That's more of a common tactic."
Change Takes Time
Enterprises, like ships, don't turn on a dime. Changing corporate culture, especially about security, takes time, says Burton Group principal analyst Fred Cohen.
"If [awareness programs] don't have integration with security people, it's a bad thing; people could be taught the wrong thing," Cohen says. "Programs don't have to be owned by the security organization, but they should be part of it."
Monahan was CIGNA's first IP champion, and already she and the IP coordinators she works with have helped influence important changes, like the use of unique ID numbers so that customers' profiles are no longer associated with their Social Security numbers. Projects are rolled out with a greater understanding of security implications because of the improved communication facilitated by the presence of coordinators.
"Through these coordinators, we get a lot more information coming back up, we understand it, and then we put the plan in place," Monahan says. "It's leading to these changes sticking better; we're getting more traction with them because there's communication down and up."
Bennett, meanwhile, gathers data on what communication and awareness techniques, like lunch-and-learn sessions or simple e-mail reminders, are most effective, and which eventually become standard operating procedure.
"(IP coordinators) have their jobs, but they also work with us to give us that insight into what makes security real for their particular areas," Bennett says. "On the IP champion side, people react to what's im-portant to their supervisors and management. IP champions are senior-level folks who not only have accountability for information protection, but also act as a conduit across the senior business management team. They're the ones who say, 'This is important.' When they do that, it has a trickle-down impact."
Having people fluent in security sitting among the masses is a literal extension of the security office that wasn't possible six years ago, when Shumard took over as the de facto CISO of CIGNA.
In 1999, each of CIGNA's divisions had a security officer who was a liaison to operating and technology areas of the company. The officers developed policies and worked with different teams to protect the company's digital assets. But HIPAA was looming, and the realization was settling in that the company didn't have the resources to tackle the regulation's privacy and security requirements.
"They were neither fish nor fowl. They were neither the IP gurus, nor were they aligned in the business," Shumard says of the old security structure. "There were a lot of disconnects, which didn't work."
The first incarnation of the current model was the installation of both division and information security officers to establish a presence in the business and technology sides of the house. Information security officers were technology people who understood security, and division security officers were business people who, for the most part, understood security—which Shumard says was a challenge to find. Depending on the line of business, the number of individuals in these positions varied.
The faces, skill sets and demands were changing at CIGNA. Simultaneously, Shumard established six different groups of functional security experts versed in engineering and standards, vulnerability and risk management, incident response and business continuity, policy awareness and compliance, operations and privacy. Each group focused on assessing the risks in each of CIGNA's business processes, and developing benchmarks and scorecards to measure the growth and success of security initiatives.
This model was the standard at CIGNA from 2000 to 2004.
"In '99, when we started, [our scores] were very low," Shumard says. "We just got our benchmarking scores for '04, and while overall we're not best-in-class—that's not what we aspire to be; we aspire to be above a level of due care in all 19 categories [as defined by a Stanford Research Institute benchmark] and to make sure we're solid in all of the areas. In six of the 19, we were best in class, and in a number of the others, we were pretty close. We're pretty pleased with the progression."
Listening and Learning
Seeking more interaction and sophistication to its security presence inside CIGNA, Shumard's group decided to blow up the DSO-ISO model early last year. "We now were able to move to next level of engaging the experts to the experts. We didn't need as much of that middle-liaison type of coaching or interface as was needed in the past," Shumard says. "We had developed on both sides—business and tech—a level of sophistication to get the right people together to work in a more efficient manner."
The impetus for IP champions and coordinators came from feedback generated during security focus groups. Cross sections of employees made up the groups, whose purpose it was to garner the level of security awareness present at CIGNA. But the meeting's real message was loud and clear: Users understood that security was important to CIGNA's success, but to make it relevant to their day-to-day jobs, that message had to come from their boss, rather than a bulk e-mail from the security office.
"If you can help ingrain that process with normal management and organizational processes, it means a lot more to us and shows that our bosses have bought in, and we feel more comfortable," Shumard says. "That's why we looked at the IP champions and coordinators as actual people in the business whose main job is doing the business, but that they would be the ones who would really be the advocates and facilitators to help get the security messages, processes and programs ingrained within the organization."
Information protection officers were centralized under Shumard's office, and champions and coordinators were recruited and appointed within CIGNA's business and technology operations.
Now that experts are talking to experts, Shumard and Bennett can get granular with benchmarks and scorecards, and obtain a tighter analysis of how secure the company is.
"You can sit in your ivory tower and push policies and procedures all you want. But knowing how it works in the real world—dealing with the people, and understanding their issues and having empathy for them—is the real benefit," Shumard says. "While we've had a motto of 'Information protection is everyone's responsibility,' it's not until we started to build on this newer model that we really started to feel it."