Aligning Security and Company Risk
AFTER A MAJOR INCIDENT, companies often decide that they need to purchase new security products to prevent a recurrence of the problem. But sometimes the solution may be nontechnical: to better align security and business risks and to enforce existing policies.
Many organizations, especially larger ones, have broad disparities in policy and compliance, according to Tommy Augustsson, information technology vice president at General Dynamics Corp. Trying to protect sensitive data with such an uneven approach is “a disaster waiting to happen,” he said at a recent Gartner security summit. After a major 2005 data breach, senior-level General Dynamics executives conducted a security review, Augustsson said, which eventually led to the development of a high-level risk management board.
Discussing the issue with regard to his own company's similar approach was Eric Cowperthwaite, chief information security officer at Seattle-based Providence Health & Services. After a 2005 data breach, involving insecure disposal of tapes containing data on about 380,000 patients, Providence also set up a high-level risk and governance board, and Cowperthwaite was chosen to head the group.
Both managers had strong backing from company leadership, which they said was instrumental in driving any changes.
In getting his group off the ground, Cowperthwaite met with many hospital administrators, learning about their existing security policies and approaches. He also conveyed to them the company’s new goal of creating improved organizational policy and risk governance as a way of ensuring, among other things, compliance with the Health Insurance Portability and Accountability Act (HIPAA).
The first body that the company formed to carry out this effort was the IT Security Council, which focused primarily on IT security-related matters, Cowperthwaite said. It was composed of high-level managers from each business unit, IT security managers, and executives in risk-oriented areas, such as legal and compliance. Ultimately, the company transitioned to a broader risk-based group, the Enterprise Risk Management Committee (ERMC), which included business unit executives, IT security staff, and managers from every major company vertical, ranging from human resources to the legal department to security.
Both Cowperthwaite and Augustsson said one of the biggest challenges in creating the boards was learning to think less exclusively about IT security. Over time, they said, they learned to think more about other managers’ goals and points of view. Regular meetings also helped them learn other units’ vocabularies.
The most significant effect of Providence’s effort was improved organization-wide security processes and accountability, Cowperthwaite said. Providence started looking less at broad security incident numbers and more at why and where incidents occurred. Recently, for instance, Cowperthwaite warned one manager that his hospital was responsible for about 80 percent of Providence’s stolen laptops. The manager, knowing he would be questioned about the losses by his supervisor, Providence’s COO, acted immediately to remedy the problem, Cowperthwaite said.
The ERMC has also changed how the company makes security purchasing decisions. Rather than having those decisions made by a single unit or a small technical group, they are discussed by the committee, which has several months to approve or disapprove a new security product. The committee helps ensure that product purchases are consistent and smart throughout the organization, Cowperthwaite said. Frequently, one or more members can share valuable insight about a potential purchase, he said.
Providence’s board also helped the company complete an agreement with the U.S. Health and Human Services Department, which administers HIPAA. The agreement states that Providence is now HIPAA-compliant, though it must still submit reports on security incidents and changes for the next three years.
The creation of the board was not always easy, Cowperthwaite said. “I sometimes felt I was living and breathing compliance.” But he said it was truly needed to bring his company up to HIPAA and other regulatory standards.
Augustsson said General Dynamics’ risk-management board was similarly effective for the large, decentralized company. Other companies looking to create such a board could begin by examining their own organization's structure and culture, he said. Companies might ask themselves whether a similar committee could work and also what kind of support it might receive.