A single sentinel in charge of security, both physical and digital, makes sense for this company. Does it make sense for yours?
Reader ROI
Learn about one organisation's integrated approach to security Hear the pros and cons of a consolidated security effort Determine how you might establish your company's security structure A security breach is about to occur at your company. Think fast. Who will slam the electronic door on a hacker without erasing evidence of the digital misdeeds? Would someone in your company have the presence of mind to activate door and badge systems, pull access files and look for other signs of a physical break-in - or would those thoughts surface days or weeks later, after it became clear that the hack was an inside job? When the time came to charge the perpetrators, would you or someone who works for you feel comfortable advising your company's lawyers on whether or not to prosecute or settle the matter out of court (and out of the public eye)?
With its new Information Protection Team headed by former FBI supervisory special agent John Hartmann, Cardinal Health can answer "yes" to those security questions. As vice president of security for the $US30 billion, Fortune 100 health-care manufacturing and distribution company with 40,000 employees worldwide, Hartmann and his small team of security specialists oversee all aspects of asset protection - including digital data, a job many people consider as being in the purview of IS.
Hartmann's group of 15 acts like an internal SWAT team, helping Cardinal's business units determine the value of their data, assess the extent of its risk and decide on practical security levels on a case-by-case basis. "The philosophy was to look at security in a holistic sense," says Hartmann. "We had firewalls, and we had people with a portion of their jobs related to security, but there was no dedicated team to address the big-picture aspects of protection."
This global view of physical and digital security helps Ohio-based Cardinal maintain a clear minimum level of security throughout the company. It also helps identify when actions in one division could compromise security. If the worst-case scenario should occur, it ensures the company is ready to respond and defend its assets in both the physical and virtual worlds.
While those goals sound sufficiently well intentioned, are you willing to give up corporate real estate or entrust the safety of your business-critical digital assets to someone in a separate security division? If your gut answer is no, you may need to sleep on this one. Security industry watchers and some analysts say an independent, elevated security function is fast becoming a requirement for companies that need to protect their digital assets on several fronts.
At Cardinal, Hartmann receives full and enthusiastic support from Kathy Brittain White, CIO and executive vice president, and Tony Rucci, the executive vice president and chief administrative officer (CAO). The bottom line? You could well be looking at your next organisational structure.
Get Physical
When Hartmann joined Cardinal Health in October 1998, the company was in hypergrowth mode. Hartmann was brought in to keep on top of its mushrooming need for plant security, theft and tampering prevention, and the other precautions typically addressed by security officers.
Then-COO John Kane, who has since retired, was concerned that Cardinal was expanding so fast that it was in danger of outgrowing its security function, says Hartmann. "The original plan was to keep up with the physical security - cameras, gates and access control - and tackle the larger things that don't necessarily always get done like crisis management, risk assessment and investigations into theft loss and product tampering." One of those things was protecting proprietary information, which is Hartmann's specialty. In his last position with the bureau, he investigated trade-secret thefts, hacking and other types of corporate information loss.
Hartmann spent his first six months surveying internal operations and gathering security benchmark data from contacts he had made during his tenure at the FBI. After asking individual business units in Cardinal to spell out their security procedures and concerns, he concluded the company sorely needed an information protection policy to serve as a baseline for security practices.
"The individual business units lacked a global view," says Hartmann. Some groups, typically those with sensitive data, were very competent regarding their security practices, but other groups were not. "One unit may not have assets that are as high on the risk scale as another's, but their actions on a large, decentralised network affect everyone. People don't always realise the implications their actions can have outside of a centralised IT function. All it takes is one box connected [improperly] to the Internet."
Hartmann called his A-list of corporate contacts from his FBI days and asked them to offer their best practices regarding security.
Hartmann's best practices contacts all worked in companies with a security team reporting to IS or on equal footing with IS. "Companies with information protection outside had increased objectivity and investigative skills, and knowledge that doesn't normally reside in IT." For example, he says, traditional security officers often have some kind of investigative training, a skill IS workers rarely possess.
Armed with those observations, his discoveries about Cardinal's business units and his previous experience in proprietary data protection, Hartmann pitched the idea that physical and information security should be combined into one functional unit of responsibility (the plan was formally adopted in the US spring of 2000).
"The door was open for me to do what I had to do to show the company where I thought we should be," Hartmann says. "Cardinal is a company that creates and utilises a vast amount of proprietary information. We do a lot of R&D, we have a lot of self-manufactured products and vast amounts of customer information, patient data and pricing information. All of that is critical to our business." Without policies, practices and review processes to address both physical and electronic vulnerabilities, he argues, the company would be hard-pressed to protect those assets.
Cardinal wins points for merging physical and digital security from Forrester Research's senior analyst Frank Prince, who says integrated security makes sense for many companies and is a must for those involved in e-business. IS brings its obvious expertise in network intrusions, and traditional security personnel have more experience in areas like forensics and civil and criminal lawsuits.
Cardinal has already had experience with such malicious intent. Like all security executives, Hartmann is reluctant to talk about breaches at Cardinal, but he acknowledges that two former employees were scheduled to go on trial in March for theft of trade secrets. Hartmann is slated to testify in the case and can only say that the incident was a combination of digital and physical (an electronic plus hard-copy) theft, the investigation happened under his watch, and he recommended to senior executives that the company press charges. "The message we want to send is that Cardinal takes information protection and security very seriously and will go to all means to protect that information," he says.
To Assist and Advise
Hartmann's group is charged with four primary responsibilities:
Developing and updating security policies that are understood and agreed on by business unit leaders and effectively communicated and enforced throughout the organisation Conducting vulnerability assessments of networks and systems, as well as filing cabinets, desk drawers and any place where security breaches might occur, whether digital or physical Collaborating projects Detecting intrusions and coordinating emergency response when a security breach occurs or a cataclysmic event hits the company In other words, Hartmann's team talks about the need for firewalls rather than installing them. "John isn't doing pass-word protection and firewalls. That's our job. All the security that you need for applications is our responsibility," says CIO White, who doesn't feel she is losing "real estate" to Hartmann. "He covers things like patent protection that my group would never deal with. I think of what he does as an enhancement rather than giving up ground."
White presides over a $US250 million, 1500-person operation and has responsibility for all IT initiatives, including the company's business-critical Cardinal.com e-commerce project. The role of Hartmann's 15-person team is "to assist and advise".
Every Cardinal business group, including IS, is ultimately responsible for its own day-to-day operational security. Hartmann's group provides global intrusion detection, easy access to security expertise, an enterprisewide view of data protection and, if all else fails, a targeted response team trained to minimise damage and preserve evidence.
"I focus on what's right for my area. They're looking at the big picture for the whole company," says Mike Beck, manager of telecommunications and technical shared services, which has called on the Information Protection Team when developing the company's Internet infrastructure for Cardinal.com. "We go to them and get their opinion first, and we follow their guidelines in setting up our security features."
"John has acted as a consultant to the CIO and to me to help us figure out what the state of the art should be on information protection," says CAO Rucci. "But it's very clear in my mind that the accountability falls with the CIO for anything and everything having to do with information security. Kathy White has full involvement and veto power over information security."
Hartmann and White have nothing but praise for each other and their collaborative environment, and each insists that in two years they have not encountered an impasse that couldn't ultimately be resolved through bargaining and negotiation. "I get asked to make judgement calls in situations where the ideal scenario is X, the practical solution is Y and the minimally acceptable solution is Z," says Rucci, who gets the occasional jump ball kicked to his office. "We have to take it on a case-by-case basis, but the big question is always, What is in the best interest of our customers and our shareholders?"
Collaborate Early and Often
In his benchmarking research, Hartmann realised that organisations with the most effective information protection strategies had created a team of experts who functioned like internal business consultants. "That's the model we adopted," he says. Although he refers to his team as a service organisation and his business-unit users as clients, funding comes from the corporate budget rather than a charge-back basis.
The goals of Hartmann's team are to emphasise collaboration, get involved in projects as early as possible when security considerations can easily and inexpensively be built into applications to offer solutions, instead of simply pointing out transgressions. "The old days of in-your-face security are gone," Hartmann says. "You can't just point your finger at someone and say: Your system's not secure'. You've got to bring him a solution."
For instance, when White was in the planning stages for Cardinal.com, the company's procurement and reporting site for health-care corporations, a representative from Hartmann's group was involved to establish security policies, provide security guidance and conduct a security review when the project was ready to launch. However, the nuts-and-bolts details of passwords, firewalls and so on were left to e-commerce designers in individual IS groups like Beck's.
When business unit managers disagree with security advisers on the level of protection a particular project needs, business value is always the tie- breaker, Hartmann says. The Informa-tion Protection Team's formal mission is to "ensure the integrity, confidentiality and availability of critical information and information assets, while maintaining the competitive agility of Cardinal Health business units." In other words, Cardinal wants to be as secure as it can be.
Hartmann is all too aware that security people, especially former FBI employees, can come off as paranoid fanatics. "We constantly balance risk versus accomplishment. The onus is on us to come up with security solutions that don't hinder business goals." In building the Information Protection Team and developing security guidelines, Hartmann first convened an advisory committee comprising representatives from legal, risk management, internal audit, HR, IS and other key departments to establish standards and working procedures. "If you want people to feel like they own the policy, you have to pull them together and ask for their input. If you want a team response, you have to have the group offer solutions right from the beginning."
The team often tries to walk business owners through the process of understanding just how much their knowledge assets are worth to the company and just how vulnerable they may be. Once business units have a full idea of what their assets are worth, they're often more likely to agree with the team's security recommendations.
Early and frequent collaboration is the easiest way to smooth negotiation among the various departments, says Forrester Research's Prince. To determine who should be at the table when it comes time to build a security team, Prince suggests skipping ahead and envisioning an actual security breach at your company. Who needs to be involved? Certainly IS, but also plant security, facilities people, HR, legal, public relations and so on. "Instant-response teams have a range of organisational components, but those people should all be involved in planning and implementing security in the first place," he says.
On the Case
For all their initial success, Cardinal executives aren't sure if their current structure is the result of institutional brilliance or simply a matter of skilled personalities in the right place at the right time. Rucci and White are both enthusiastic supporters of Hartmann, but say his position is the result of his unique background and the entrepreneurial atmosphere that was in play at Cardinal at the time.
"John Hartmann had been with the FBI, and his specialisation was information protection. We looked at that and said, Here's a person with some unique skill sets, what should we do with him?'."
White agrees with the unique nature of Cardinal's situation. "If John were not here at the time, it probably wouldn't have been done that way," she says. "My organisation was so lean, his organisation was brand new; it's as if we were in start-up mode. In an organisation with a more mature IS group, I don't know if it would make sense to pull security out like that."
Security specialists believe Cardinal's approach will make sense for more organisations in the long run. As companies realise their intellectual property exists in multiple forms, they'll eventually move toward a risk-management model of protection that addresses physical, logical, technical and business risks, predicts Christian Byrnes, vice president for security programs at consultancy Meta Group (US).
Byrnes has seen a few early adopters like Cardinal in the health-care and finance sectors, but feels most companies are still five to 10 years away from having an elevated, coordinated security unit. "You can't say it's the wave of the future yet," he says. "But the far future? Yes, probably."
The Security Executive's To-Do List
Merge physical and IT security organisations.
Have asset owners identify critical assets, determine their value and participate in risk assessments.
Audit security early and often.
Demand background checks and psychological profiling for sensitive staff.
Evaluate business partners' security.
Source: Forrester Research
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.