- From CIO Digest, January 2010 Issue ( Download This Entire Issue in PDF)
Shortly after Thanksgiving Day, my grandmother begins putting out her Christmas holiday decorations. And while she has a number of them, there is one that holds special meaning, culling happy childhood memories: a two-foot Santa Claus holding a bottle of Coca-Cola in his right hand. She acquired the Santa from a local grocery store shortly after the Second World War when my dad and aunt were young children, and still proudly displays him and his bottle of Coca-Cola every holiday season.*
Absconding with the Coca-Cola bottle and uncapping its contents has proven to be too great of a temptation for three generations of children—initially her son and daughter, then her grandchildren, and most recently her great-grandchildren. As a result, in order to protect her Santa, my grandmother secures the Coca-Cola bottle by wrapping a rubber band around his right hand each year.
Needless to say, information security for The Coca-Cola Company is a bit more complex than a simple rubber band. Much has been written on the Coca-Cola brand. Acknowledged as the number one trademark in the world and said to be the most often-recognized word outside of “ok,” the Coca-Cola brand is ubiquitous around the globe and its equity is virtually impossible to calculate.
Chartered five years ago to develop a comprehensive information security program, Tom Place, the director of global technology and information security at The Coca-Cola Company, and his team keep this challenge in purview at all times. “It is crucial that we understand our real purpose,” says Place, who launched his career at The Coca-Cola Company 30 years ago as a telecommunications specialist. “When you think about the delivery of technology, or more specifically information security, it’s all about the needs of the business; how can we protect our brand and successfully position and sell our products in the marketplace.”
A formula for information security
Place leads the Global Technology Infrastructure Group, which is responsible for all data center environments, networks, client technology, digital collaboration, and IT help desk services. His charter also includes the Information Security and Regulatory Compliance group, a responsibility he assumed in 2004.
The evolution of its business model and the emergence of information security as a growing threat prompted The Coca-Cola Company’s executive management team to charge Place with transforming the company’s information security posture. Place perceived the assignment as both a challenge and opportunity. “Our efforts were somewhat disorganized,” he remembers. “We recognized that information security was becoming increasingly important to our business and saw the growing threat of cybercrime. It was an opportunity to build a capability from the ground up.”
One of the initial questions Place and his team addressed was the definition of security. “We developed an information security and regulatory compliance framework,” he explains, “which defined the scope of what security means for the company.” With a definition of an end state in place, they have used the framework as the basis for prioritizing initiatives and investment decisions.
In order to define the desired end state, Place and his team used the ISO27000 standard as the basis. “We worked with our bottling partners and industry leaders such as Symantec, IBM, Microsoft, PricewaterhouseCoopers, Deloitte, and Gartner, among others, to establish a methodology of essential information security standards,” he says. Sixty-eight standards formed the initial framework, which was refreshed two years ago when four more were added based on a gap analysis. “These standards are not static,” Place explains. “We reexamine them every two years against changes in our business requirements as well as new threats on the information security landscape.”
In 1997, Place was given the charge to lead IT for The Coca-Cola Company’s business in Europe and Eurasia. Reporting directly to the group president of European operations for The Coca-Cola Company, Place had an opportunity to see the interworking of IT; the translation of front-line capabilities into IT services. “The experience in Europe gave me a new business perspective,” he contends. “Frontline capabilities—and our success as a business—are directly impacted by what we do in the back office.”
This is the lens from which Place and his team prioritize their different initiatives. “Probably the biggest learning from my experience in Europe is how I go about setting priorities,” he notes. “There are many opportunities—from new projects to innovative technologies—to pursue. And there are always more than can be practically done and moreover not all of them will produce the same level of benefit to the business.”
A formula for business integration
In order to ensure transparency between the business units and global IT, Place worked with the IT leadership team to establish geographically dispersed information security leads. “Their role is to carry the information security message to the business units,” Place explains, “ensuring compliance with regulations relevant to each and relaying their business requirements back to the Information Security and Regulatory Compliance team.”
He continues: “We rely on a business planning process, which includes presentation of new technology and security initiatives to business leaders. This allows our group IT leaders to connect with their business counterparts to ensure alignment between what they need and what we are doing.”
Beyond the above, The Coca-Cola Company has a System IT Council comprised of the CIOs of its top bottlers around the world. “For the past three years, information security has been one of the standing agenda items covered by the council,” Place notes. “The discussion covers the level of maturity within each of our different information security programs and opportunities for the sharing of best practices and innovative solutions.”
As Place has transformed the information security program at The Coca-Cola Company, Symantec has played an important role in helping him to architect and build the underlying infrastructure, processes, and policies. “It is an open, ongoing, reciprocal relationship,” Place describes. “It’s imperative for us to work closely with Symantec, providing their team with feedback on areas where there are synergies as well as areas where improvement is needed. This enables the Symantec team to support us better.”
Since the primary objective for Place and his team is on defining and enforcing IT governance and building strategy, they out-task certain components of their information security program. For example, for security monitoring and management, they engaged Symantec Managed Security Services about five years ago and renewed the three-year contract two years ago.
Place and his team have spent significant time working with Symantec to evolve and mature the relationship. “We are dependent on each other to be successful,” he says. “Making sense of all the data we get from Symantec Managed Security Services is really where the magic is. As a result, we’ve worked closely with the Symantec team to evolve our metrics and reporting in a way that enables us to make it actionable for the ongoing improvement of our protection capabilities.”
Place supplements the services he receives from Managed Security Services with Symantec Residency Services. The Symantec Residents are able to coordinate with Symantec’s Security Operations Center to proactively triage different security threats before they become a problem or escalate remediation if it does. “The value of having Symantec Residents is that there is a direct connection between them and the larger Symantec organization,” Place adds.
The cloud is strategic reality
Cloud computing is not simply a vision for The Coca-Cola Company but a reality—one that Place anticipates will play an increasingly important role for the company. “There are various advantages associated with cloud computing,” Places explains. “The economic benefit is the most obvious. However, flexibility and the ability to quickly assimilate changes into the business, including mergers and acquisitions, is just as appealing and may hold even greater potential over the long run.”
The Coca-Cola Company’s 2020 Vision and Roadmap for Success details aggressive growth objectives, and cloud computing will most certainly play an important role according to Place. “We can manage certain services more efficiently in the cloud than from a traditional glasshouse data center. The other advantage is that we can connect and transact business more effectively with partners—through both public and shared cloud models.”
Messaging security in the cloud is a bet that Place and his team made several years ago, and they are quite pleased with the results. “Before, we had an appliance-based solution for messaging security, and it worked quite well,” Place says. “However, with the exponential growth in spam and email-borne malware volume, we started to look at alternatives.” One of the most pressing issues was the fact that they had to add more appliances to their network as volumes grew and their capacity was exceeded. The amount of spam traffic also created network bandwidth challenges. “As the appliances resided behind our network firewall, all of the incoming spam was simply causing too much congestion,” Place explains.
As a result, Place and his team elected to move to a hosted services model. They initially implemented Symantec Hosted Mail Security but, with Symantec’s acquisition of Message Labs, are in the process of planning a migration to Message- Labs Hosted Email Security. “We are very pleased with the decision,” Place conveys. “Messaging security is something we no longer have to worry about.”
Bottling security for the consumerization of IT
The technology landscape is rapidly changing, and information security is dramatically more complex than it was five years ago. “It was much easier to deliver technology solutions a few years ago,” Place relates. “We had standard images, a standard set of client tools, and standard ways of collaborating with the workforce.” Consumerization of IT, the convergence between consumer technologies and enterprise technologies, is changing all of this according to Place. “There is a fundamental change taking place as we transition to a Web 2.0 world, and we must evolve our traditional ways of delivering client interfacing technologies, devices, software, and collaboration tools to a more vendor agnostic, best-of-breed approach,” he argues.
Endpoint security is one of the ways Place and his team are addressing the information security challenges associated with the Consumerization of IT. Historically, The Coca-Cola Company relied on Symantec AntiVirus for its clientand data center environment. “We elected to upgrade to Symantec Endpoint Protection because of the benefits of standardization and its expanded capabilities,” Place says. “We had various inconsistencies with how we used our PC-based firewalls and had an intrusion prevention solution that wasn’t robust enough for our business requirements.
”Now, in addition to antivirus and antispyware, Place and his team leverage the personal firewall and intrusion prevention capabilities in Symantec Endpoint Protection across more than 25,000 clients and several thousand data center servers, all from a single console. “We are benefiting from the robustness of Endpoint Protection and are looking forward to the integration of other Symantec products in the future,” Place concludes.
|< Previous Page||Page||5||of||5|
DLP: a personal and corporate responsibility
As with any large, global enterprise, educating the workforce on safe computing is one of the biggest challenges for The Coca-Cola Company. “Information security is a critical business challenge for the company, and it is everyone’s responsibility,” Place observes. “It is no longer simply a problem that technology can solve on its own.”
For example, in order to encourage behavioral changes with employees, Place and his team implemented a Safe Home Computing Program that provides employees with tips and advice on secure computing protocols as well as a discounted offer for Norton Internet Security. “The idea is to help make information security more personal and to raise their awareness of confidentiality and privacy,” Place explains. “We want our employees to think about information security not only from a business angle but a personal angle as well. As they become more aware of the vulnerabilities and protect themselves better at home, they will carry this behavior and knowledge over into the workplace.”
Data loss is an inevitable risk for any large global organization, regardless of the extent and effectiveness of employee training programs, and a more programmatic approach was needed. Following a request for proposal process that evaluated solutions from several technology providers, Symantec Data Loss Prevention was selected. “One of the key requirements was the need for an integrated solution that handled all three areas of data loss prevention—the network, endpoints, and storage,” recalls Katherine Fithen, The Coca-Cola Company’s lead for global data privacy and the information security manager for North America.
At the beginning of 2009, the team began rolling out the solution with the help of Symantec Consulting Services. Different business stakeholders were contacted to identify policies for discovery as well as enforcement. “Our initial focus is on data in motion and the need to prevent certain types of information from leaving without encryption and to prevent other types of information from leaving altogether,” Place says.
The solution has been quite successful reports Place. “It has allowed us to connect with the business and educate different groups on appropriate messaging practices when sending certain types of data.”
Aiming for “Hillside” information security
Perhaps one of the most successful advertising campaigns of the 20th century is The Coca-Cola Company’s 1971 “Hillside” advertisement featuring the hit single “I’d Like to Buy the World a Coke.” Shot on a hillside racetrack outside of Rome,Italy, the television advertisement included several hundred young people from all racial backgrounds singing in unison. Within 10 days of releasing the ad, The Coca-Cola Company had received more than 10,000 letters from consumers thanking them for the message.
If information security was only this easy, the work of IT leaders such as Place would be much simpler—and their list of priorities much shorter. But that isn’t the case. Getting an organization to sing in unison on information security is easier said than done (or sung). And the emergence of cloud computing and Consumerization of IT will make their charters even more challenging.
In the future, information security programs need refreshing approaches like the one Place and his team are taking in order to be successful. “We take the protection of our brand and everything that it represents—the happiness people worldwide derive from it—very seriously,” he concludes. “And we cannot allow an information security threat to compromise that brand equity. We will continue to evolve our information security program to meet these emerging challenges.”
* While The Coca-Cola Company did not invent the modern-day, red-and-white garbed Santa Claus (as there is evidence of similar representations before the Coca-Cola Santa), it played a pivotal role in making him the most-recognized secular icon of Christmas. Seeking to bolster sales of Coca-Cola during the winter, The Coca-Cola Company employed Haddon Sundblom, a commercial illustrator, in the early 1930s to create a series of memorable drawings of Santa enjoying a bottle of Coca-Cola. These eventually evolved beyond simple advertisements and billboards to representations such as the one my grandmother acquired at a small grocery store in 1947.
Patrick E. Spencer (Ph.D.), the editor in chief for CIO Digest and The Confident SMB, still attempts to abscond with and uncap Santa’s bottle of Coca-Cola each Christmas when his grandmother isn’t watching.