For Kim Keever, security knowledge (no matter how thorough) is not enough. Vice president of information security and controls for Coca-Cola, Keever and her team of 60 security staffers have the expertise to implement security technology and practices in addition to evangelizing security awareness.
To Keever, this is a key distinction. Some security groups are set up as subject-matter experts for the rest of the organization, advising on what to do and remaining silent on how to do it. Keever believes this approach undermines credibility. "You can't just be a security specialist. You have to understand how to get things done in the IT space. I could not just pick technology and hand it over to another group in IT to implement it," she says.
Given her background, it's unlikely Keever would ever take a backseat approach to any aspect of security. She began her career as an IT consultant in the mutual fund industry, specializing in cross-functional team management and disaster recovery and business continuity. This led to a post as CIO for Invesco's retirement group back in Atlanta, her hometown.
"I focused on all aspects of IT but had a special interest in ensuring controls were in place in environments leading to a focus in security tools and audit practices," she says. When Invesco's retirement group was sold off, Keever seized the opportunity to spend a few years at home with her young children.
In 2009, she was recruited to enhance controls for Atlanta's Coca-Cola Enterprises (CCE), then the largest bottler in the Coke system. There, Keever led an effort to enhance access controls, and role was seen as important when Coca-Cola moved to acquire CCE's North American operations, which became Coca-Cola Refreshments (CCR) in 2010.
"They wanted to focus on aligning security with the Coca-Cola Company standards in this North American business unit," she says.
Following the acquisition, CCR's risk posture changed because it was now connected to its parent company's environment. "Things had to be modified quickly. We had the added pressure of needing to align with a global company that had a different set of security standards," she says.
Keever moved quickly to build her team, which she sourced both internally and externally. "I have a diverse group of people who had systems implementation experience, people that come from IT audit, and people that worked at the security vendors. My team is security-focused but business-minded and knows how to get things done."
One of her team's first initiatives was implementing a role-based identity- and access-management security infrastructure that allowed employees to serve themselves in many cases. For example, new hires are automatically provisioned and receive network access without having to go through the typical paperwork and manual processing. At the same time, Keever worked to simplify compliance with security practices for employees by easing password management by using a cross-company password-management tool and a federation platform.
Since 2010, Keever's team has delivered significant business value and reduced risk through a number of security initiatives, including raising security visibility and awareness, and implementing the first out-of-region disaster recovery capability for the North American environment. Keever also spearheaded development of a program to partner with audit and IT owners to develop root-cause resolution of audit findings.
Lately, she's been focused on compliance with payment card industry (PCI) regulations. She developed a center of excellence to serve as a centralized resource for this key area. The team evaluated compliance and mediated issues for PCI-relevant processes in the North American business as part of preparations for attaining tier one vendor status this year.
Keever's accomplishments are impressive, even more so given that they took place during a tumultuous time in her personal life. In 2011, both of her hitherto vibrant parents got sick and died, one after the other. Work provided a much-needed distraction during that time, she says.
Understanding the business-its threat profile, drivers and objectives-helps Keever when discussing funding needs for key security initiatives. "From a funding perspective, it is easier for me to make a case because I focus on value to the business," she says.
That is right in line with her belief that security people should be doers rather than just advisers. Having seen both ways of operating an information security organization, Keever comes down strongly in favor of her team implementing security technology as opposed to just advising the business and IT on security matters. "Your business can't afford to have a team of subject-matter experts telling people what to do from a security perspective. You have to have them doing things and showing value," she says.
"I feel very fortunate. Coca-Cola is a great company. It is really exciting with so much opportunity to succeed. It's very focused on diversity, women, accepting of different needs, enabling a flexible lifestyle," says Keever. "It's been very rewarding for me."
Read more about security leadership in CSOonline's Security Leadership section.