As Oracle's Wynn White strolled the floor during this year's RSA Conference, he noticed something odd: No longer was he only surrounded by techies, researchers, product salespeople and security pros.
"I ran into at least a half-dozen folks representing internal audit functions within companies and also people representing the business process side of the house," says White, the vice president of security and management products at the Redwood Shores, Calif.-based database giant. "There's definitely a convergence that's coming together."
Ever since the passage of the Sarbanes-Oxley Act (SOX) and the widespread adoption of state breach notification bills forcing companies to disclose data leaks, organizations nationwide have realized that achieving security is going to take, well, a village.
"Security touches so many different areas of business," says Allan Carey, program manager of security services and identity management research at Framingham, Mass.-based IDC. "With any type of new initiative or initiatives being driven by lines of business, security needs to be involved."
Somewhere during the last year, experts say, this push for organizational harmony and open dialogue has tipped from trend to practice. "Organizations have taken a step back and are asking, ‘How can we address these issues with a more holistic approach,'" White says.
What has emerged within organizations, especially larger companies forced to comply with the new wave of regulations, is a situation in which the CIO and CSO and the audit, risk management and privacy divisions are being forced to — like it or not — collaborate. More than four years removed from when SOX took effect [July 30, 2002], these entities are out of compliance shock mode, and are now attacking the issue with a more sensible approach, choosing to focus on decentralization and diversity.
Take, for instance, the recently formed Ethics and Compliance Oversight Committee at semiconductor giant Intel, based in Santa Clara, Calif. The committee is led by the company's internal audit director. But it also includes members of Intel's information and physical security divisions, in addition to health and safety, legal, human resources and finance teams. The goal is to examine how each business unit is responding to compliance and business principles — and then arrive at some aggregated decision.
This idea of cooperation and joint decision-making certainly makes sense, considering security has its hand in so many functions at a company. It is a critical component in determining risk. Compliance regulations, such as SOX and the Health Insurance Portability and Accountability Act (HIPAA), mandate certain security implementations. And the privacy of an employee or customer is directly related to how robust an organization's security posture is.
"The complexity of threats and vulnerabilities and the legal environment has grown," says Malcolm Harkins, general manager of information risk and security at Intel. "We've recognized that we have to work together to come up with the right company-wide answer. It's probably never going to be perfect, but as long as the communication channels are open...to me, that's the right approach."
Experts say meshing different cultures may lead to some friction, but in the end, combining different thought processes likely will lead to a more informed conclusion.
"It's amazing when we sit down and talk with someone face to face, how many issues we can resolve" says Ron Woerner, information risk manager at retail food distributor ConAgra Foods, based in Omaha, Neb.
"A lot of people don't realize the power of that. It's so easy to get wrapped up in our technology. It takes time to build up relationships, but the payoff is dramatic."
When it comes to tapping into the collective intelligence of an organization, Harkins is the right man for the job. He previously held finance roles at Intel before being tapped to run security and business continuity efforts in early 2002. Later, he led the company's compliance efforts. "I do think that because of the eclectic background I have, it does allow me to cross multiple paths a little bit easier to help think through some of the issues."
Aside from the Ethics and Compliance Oversight Committee, Harkins also is involved with the External Privacy and Security Review Board, which consists of academics, industry experts and Intel's privacy and security executives. The goal is to analyze Intel products to determine what their security and privacy ramifications might be.
"Privacy folks largely came up from the legal side, information security came up from the IT side, and auditing came up from accounting," Harkins says. "Because of this, you can have different ways of looking at things that will give you a different answer. We try to recognize that's the case. That's not wrong. it's just that we need to think about those different angles to come up with the right answer."
At Time Inc., the New York-based publisher of about 150 magazine titles, CIO Paul Zazzera says the company has instituted the SIREN (Security Incident Response Emergency Notification) team to address situations within minutes. "I think that broad organizational awareness is key," he says, adding that that it goes beyond security technology awareness.
However, Zazzera, like other security pros interviewed for this story, was reluctant to discuss specific security issues in which different members of the business worked together.
Compliance and risk
Violating compliance laws could lead to fines, prison time or perhaps worse, negative publicity. In 2006, data breaches cost companies an average
of $182 for each compromised record, an increase of 31 percent over the previous year, according to an October Ponemon Institute study. "I think a blazing headline helps create awareness," Zazzera says.
And compliance is becoming a reason to communicate across organizations. "Over the past 15 to 20 years, audit was seen as somehow trying to look under every rock and find something," Zazzera says. "But an internal or external auditor shouldn't be seen as a negative. They're actually partners to make sure you haven't left any holes behind."
Meanwhile, IT risk has evolved too, and now touches across organizations as efforts continue to align IT with business. Calling it a new paradigm, risk is no longer viewed in terms of potential damage to the company, but instead as a business enabler, says ConAgra's Woerner. "We're allowing the business to go faster because we are identifying what the dangers are," he says.
Kevin Cunningham, founder and president of Austin, Texas-based SailPoint, provider of governance, risk management and compliance solutions, says that corporate leaders who want to manage their business with good governance and responsibility have to understand IT risk as much as operations risk and financial risk. And to do that, they must understand what everyone's job role is.
"A lot of the incidents and data exposures is accidental behavior," he says. "As much as possible, you want to understand where that risk exists and eliminate it, because a lot of it is unwarranted risk."
While the obvious drivers — compliance and increased focus on IT risk — have led to discussions about security like never before, it still may be too early to tell how this newfound collaboration will shake out, experts say.
It may only really take hold across companies, such as large financial, manufacturing and health care enterprises, where consumer information and intellectual property is the foundation of the business.
"They have a different risk model," Woerner says. "If their IT systems are compromised, that could do great damage to their reputation. But if our IT systems are hacked, did it hurt the food?"
LOST IN TRANSLATION:
When different parts of an organization get confused about the meaning of something for which they are all responsible, significant problems can result.
Terminology often has a difficult time translating from the audit, risk and privacy world to the security technology world. "You need to understand why you're doing things," says Winn Schwartau, founder of The Security Awareness Company, focused on security training. "If you explain the reasons why to people, they're a lot more willing to work with you."
Kevin Cunningham, founder and president of SailPoint Technologies, provider of automated governance solutions, says executives within an organization create mandates — but the policy often gets muddled as it makes its way through departments. "It's that whole degree of business policy translation into IT policy that's lacking in business today, which makes it hard to manage from a risk perspective," he says.
He offers the example of a worker in a company finance department who is responsible for entering vendors into a database and signing off on their checks. This, obviously, creates a conflict of interest. But when the IT security side of an organization contacts the finance department and starts throwing around phrases such as "attribute settings" and "user permission," things get confusing.
For some organizations, it goes beyond creating an automated common language. Some corporations are also making efforts to train employees in different job roles.
"This is one of the biggest development areas for my organization," says Malcolm Harkins, head of information risk and security at Intel. "I want the SOX person to understand privacy. I want the privacy person to understand SOX. We have to do this as a team. The more people who have cross-discipline skills, the better off we'll be because we'll be able to look at security from different angles."
Some employees may put up some form of resistance, but it can be easily defeated, he says. "Most people now are getting how intertwined this stuff is," he adds. "We do need the equivalent of the human Swiss army knife that has enough visibility to enough things that we can put them in different spots."
— Dan Kaplan