Symantec.com
Partners
About Symantec
cartCart
  CIO Digest Logo  
  Current Issue
 | 
 Back Issues
 | 
 Subscribe
 | 
 Advertise
 | 
 Online Only
 | 
 About
 | 
 Contact

Four that will get you more...
for less CIGNA CISO Craig Shumard recommends you:
1. Leverage the company's budget.

Shumard says: "Security shouldn't only reside with the IT budget. It's easy to factor things like document shredding into real estate leasing agreements, for example. Then it doesn't hit just the IT bottom line."

2. Leverage the organization.

"Having people from the business units spend 10 to 15 percent of their time focusing on security adds to our effectiveness and puts us closer to the pulse of the business and how it affects security."

3. Have a good road map.

"By understanding where you want to go, you can avoid ending up with overlapping products or services."

4. Try not to be viewed as just a piece of IT.

"You need to be viewed as part of the business, someone aligned with the business. Talk to people in business terms, not techie terms, to establish that bridge."

Scuttling Scalawags (cont.)

CIGNA's Craig Shumard on battling 21st-century pirates

"We realized early on that employee awareness accounts for 30 to 40 percent of the effectiveness of an overall security program," he says. "Why? Because a vast number of policies, such as protecting encrypted laptops during travel, rely on people doing the right thing and cannot be implemented and/or enforced via technical controls."

Along with an emphasis on awareness, CIGNA made sure to first cover the basics-securing the perimeters, filtering content, protecting against viruses, and utilizing patching processes. "But as the risk model changed, our focus broadened. Using internal scorecards and external benchmarking, we measure our effectiveness in 19 different categories of security-from workstation security to network security, contracts, policy, telecommunications, training and awareness, and the engagement of senior business management from a governance standpoint, among others. Consequently, we've been able to demonstrate continuous improvement these past six-plus years." Shumard's progressive tactics have garnered him awards such as the Executive Alliance's Information Security Executive of 2006 for the New York tri-state area.

"We work closely with the physical security team on issues such as laptop theft, and business continuity incidents where they liaise with authorities and partner with us. We jointly develop the policies and procedures around items such as ensuring that laptops are secured and doors are locked."

Building the house, secure

Shumard reports to the CIO. In turn, a number of groups within the company report to him. "We have an engineering and standards group," he explains. "These are the folks who create the road map for where we think we need to go, evaluate potential security products to get there, and set the standards for configuration and deployment. They also evaluate all incoming products to ensure they are properly configured with the proper levels of security, and provide support to our IT architecture and technology office around security issues in those areas. The group also signs off on security checkpoints we have throughout our systems development life cycle. They review various artifacts and documents, and ensure that our security standards are met during system changes or development. That same business team focuses on our outsourcing activities, making sure the right levels of security and standards are in place for the IT software development or business process outsourcing we have going on offshore."

Another team reporting to Shumard is CIGNA's information protection officers (IPOs). This team interacts directly with the business units as well as IT. Under the banner, "Security is everyone's responsibility," Shumard's team has linked information protection with the business by creating information protection champions, senior business leaders with full-time business roles who act as the overall senior advocate and conduit for security throughout their organizations.

Also in the business units are information protection (IP) coordinators who work directly in the business and spend approximately 10 to 15 percent of their time working on information protection matters. "The IP coordinator role is essential for providing insight, support and influence-all critical elements to implementing an IP culture-one where employees understand the role they play protecting customer information," Shumard says.

Security issues are communicated differently depending on the audience, such as a letter from the information protection champion, or email blasts, or lunch-and-learn sessions, town meetings, or security training classes tailored to meet the needs of employees in different roles.

<< prev 1 2 3 4 next>>


Article Finder
>



TOP ENTERPRISE LINKS

ENTERPRISE RESOURCES
Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2007 Symantec Corporation