Published: 10 Jan 2009
SHAWN PARTRIDGE CONTINUALLY nudges his staff and his superiors at Rockford Construction in Grand Rapids,Mich., to view information security-and IT in general-as a means to bring about positive changes for an industry beset by economic woes.
"Until I came here, IT was a support mechanism," says Partridge, whose company has no CIO. "It was seen as a cost center only."
Since Partridge, vice president of IT, implemented Web portals to make site management easier, employees "used to running projects with a walkietalkie and a pad of paper" are not only embracing the new technology but are helping him evangelize the importance of good security habits. "We implement different levels of access" for foremen, customers, and others with a stake in a project, Partridge says.
As threats to corporate data grow, putting organizations' reputation and revenue on the line, many CIOs and IT executives view information security with appropriate urgency. They're working to elevate security in the enterprise by expanding their roles and responsibilities, teaming up with CISOs or by occupying dual roles-leading both IT and information security efforts.
For its part, the American Red Cross initially created and filled its CISO spot about six years ago, says Mark Weischedel, CIO at the Washington, D.C.-based emergency response organization. Since then, the CISO's responsibilities have changed substantially.
"In the beginning it was all about policy and strategy," says Weischedel, who reports to the organization's CEO. "The CISO position was very highly leveraged, and the capabilities were very limited. Since then, we have added more technical depth, plus we are pushing out more [to the CISO] in terms of [security] policy, compliance, education and awareness."
He adds that a steady stream of attacks has elevated information security's importance across the organization. "They are an everyday occurrence, but unless you are immersed [in information security], you won't understand the risk enough to develop an effective level of controls" with which to respond to them, he says.
Suzanne Hall, named to the CISO post in October, says that the placement of the CISO and CIO within the Red Cross' hierarchy weighed heavily in her decision to accept the job. She reports to Weischedel.
"Mark and I had conversations about this during the recruitment process," says Hall, who most recently served as CIO at Lerner Enterprises, a real estate development company based in Rockville, Md., that also owns the Washington Nationals baseball team.
"I felt very confident that there was a strong synergy between the CISO and the CIO here, and I know that the CIO has a seat at the table with the CEO."
The Red Cross has what Weischedel describes as "well-established audit functions" among various groups within the organization, each a check and balance on the other. Among other positions, the Red Cross has a chief of audit, a chief of investigations and an ombudsman-any or all of whom may touch issues related to information security.
Security is so deeply woven into the fabric of the organization that "there is a natural partnership and affinity between the things our CISO does and the other parts of the Red Cross," he says.
Organizations continue to put security on the back burner as they dive into virtualization.
The sluggish adoption of security controls in virtualized environments illustrates how security remains an afterthought in many organizations, says Scott Crawford, research director at Enterprise Management Associates.
In an EMA survey of more than 600 enterprises worldwide, only 17 percent of respondents use detective controls to monitor hypervisor security. Just 26 percent use controls to prevent potential or detected hypervisor threats.
"IT has a once-in-a-generation opportunity to integrate security into a new technology in its earliest stages of deployment, yet what this data suggests is that IT-and the business-is missing the opportunity," Crawford says.
In the absence of significant numbers of proven threats, businesses are still weighing the need to integrate security directly into virtualization initiatives, he says. "Unfortunately, this means that even with new and emerging technology, we may be back to business as usual for dealing with threats after the fact, despite the security lessons so painfully learned over the last decade."
The Red Cross and other large, established organizations have the breadth and the resources to rearrange responsibilities as business demands and the threat landscape shift. Unfortunately, plenty of other organizations continue to view information security as a technical afterthought. That bias is reflected in how infosecurity managers' duties are viewed by others within the organization.
In many cases, "we are still seeing IT focused on the primary objectives of the business-delivering services, maintaining network availability," says Scott Crawford, research director of the security and riskmanagement practice at Enterprise Management Associates, an IT consulting firm in Boulder, Colo.
Security's role in addressing "risk management is often an afterthought,which is discouraging," he says. Crawford, former CISO at the Vienna-based Comprehensive Nuclear Test Ban Treaty Organization, says that rocky relationships between line-ofbusiness personnel and security managers continue in many organizations.
"The business people-and even some in IT- tend to see security staff as being in the business of saying no-'No, you cannot pursue this line of business because it is too great a security risk,'" says Crawford. Until management takes the view that information security touches the business at every level, clashes are likely to continue, he adds.
In order to persuade others in the C-suite to give appropriate weight to information security, savvy CIOs frequently take pains to work closely with employees outside of IT. Education is of paramount importance in that effort, says Tim Johns, the CIO and head of IT security at Georgia Urology.
"In the clinical environment, change is never a good thing," says Johns. "A lot of folks have worked here for a long time, so when you come in and say, 'You need to change your password,' they say, 'But I like my password-it's my daughter's wedding [date]!'" You have to sell them on the reasons why they need to change their password. You tell them, no, we're not being attacked, but I am trying to prevent that from happening.
"I like to say that I have 28 bosses," he adds. Johns reports to the CEO and the managing partner, to say nothing of the two dozen-plus physicians with whom he and his staff work every day. Although he says GU's CEO thought Johns "went a little overboard" when he expanded GU's security policy from three pages to 37, some explanations about the necessity for HIPAA compliance and other regulations helped the CEO understand precisely why Johns was implementing a host of new procedures and rules.
And just as business people need to elevate security considerations, security people need to prioritize learning about their companies and the type of security risks that could harm them, says the Red Cross' Hall.
"Traditionally, CISOs have not had that business focus," she says. "As a profession, CISOs must work as a group to help build that skills set. It's a model we must continue to develop."
At retail giant Target, recent changes to top management's responsibilities around security reflect a push to elevate some infosecurity matters to a new level of business criticality.
Over the last couple of years, "we made the decision to treat corporate compliance, fraud prevention and other areas primarily as business risks, then as technical challenges," says Tony Heredia, vice president of corporate risk and responsibility at the Minneapolis-based company.
Target's size and scope drove the changes. Given the array of industries the company straddles- retail, financial services, health care-the company found itself "pulled in recent years in different directions around regulations, from PCI to HIPAA to GLBA,"Heredia says. "We needed to find a way to address all of these risks."
Thus some issues related to security standards and governance now live in his group's purview, while Beth Jacob, Target's CIO and a peer of Target's general counsel-to whom Heredia reports-continues to oversee the technical aspects of the company's information security strategies.
As an example, Heredia points to ongoing efforts to shape employees' security-related behavior, such as educating them about why keeping passwordcovered sticky notes on or near their computers is a bad idea. While this task had once been handled by those on the technical side of the house, it's now considered part of standards, governance, training and enforcement, all of which Heredia and his staff ultimately oversee.
In shifting duties around, "we took our time," he adds, noting that technical and organizational changes designed to address new ways of managing risk have been phased in over the last two years.
Top 10 Priorities
Every year, the National Association of State Chief Information Officers (NASCIO) conducts a survey of state CIOs to identify their top policy and technology issues. Here are the results for 2009:
2. Shared services
3. Budget and cost control
5. Electronic records management/digital preservation/e-discovery
6. ERP strategy
7. Green IT
9. Health information technology
2. Document/content/email management
3. Legacy application modernization and upgrade (ERP)
4. Networking, voice and data communications, unified communications
5. Web 2.0
6. Green IT technologies
7. Identity and access management
8. Geospatial analysis and geographic information systems
9. Business intelligence and analytics apps
10. Mobile workforce enablement
"Security has been a high priority and will continue to be. States are relatively open environments simply because of the nature of their business and it can be problematic."
--DOUG ROBINSON, NASCIO executive director
Given that each organization needs to consider myriad factors-from its size to the regulations it faces to its security or IT head count-Enterprise Management's Crawford suggests that it's often best when security personnel report directly to the CEO rather than to the CIO.
"You don't want to have the person who is supposed to be keeping tabs on doing the right thing reporting to the group they are supposed to be keeping tabs on," he says.
At Rockford Construction, Partridge reports to the vice president of operations, who reports to the executive VP, who reports to the CEO. He is optimistic that his influence will grow over time.
"Management is still trying to figure out where I really fit into the organization," he says. "It would be good to have IT and information security in a more strategic, less reactive arrangement."