Retooling for Security
Security strategy will increasingly determine business success or failure in the information Economy. Here's how some companies are starting to go restructure for risk:
Before Sept. 11: No holistic approach to security; policies unclear and partially heeded.
Now: Each of 12 lines of business has its own security rep to size up and monitor IT and business risk issues, and to spot new ways to boost, change or expand current policies.
Key Project: A global awareness and training program, to be offered in person or online to all 100,000 employees by late 2004 in the philosophy, purpose, details and practices required of all security and privacy policies.
Payoff So Far: CISO Bill Boni reports less impact from viruses and 90 percent reduction in externally visible high-risk vulnerability.
Bank of America
Before Sept. 11: Fragmented security policies differed by business unit and lacked consistency across the corporation.
Now: Security strategy that coordinates physical, data, risk and business continuity strategies into one overarching plan that aims to take into account continuous change in technology and types of threats.
Key Project: Training initiative to boost employee awareness and better compliance with security policies.
Payoff So Far: Increased brand marketing value and lower costs in some areas due to a lack of duplicative efforts.
Air Products and Chemicals
Before Sept. 11: Security policy consisted of ID badges, visitor registration, fences and gates with cameras, along with security guards.
Now: Company-wide security management team assembled on Sept. 11 became permanent and scrutinizes the $5.4 billion company's policies and processes for physical and information security holes.
Key project: A $20 million security improvement program screens new buyers of the firm's most sensitive chemicals.
Payoff So Far: Jack Fekula, manager of IT security, says security policy compliance is up more than 50 percent.
Before Sept. 11: Security policies at the $5 billion, Basking Ridge, N.J., communications network builder were inconsistent throughout the company.
Now: All security policies are under the control of one cross-functional security team that includes business, legal, HR, IT, real estate, PR and environmental and risk representatives.
Key Project: New emphasis on emergency response training.
Payoff So Far: Having a single point of security accountability has reduced operational security costs and has kept a lid on insurance premiums, says risk manager Diane Askwyth.