A few years ago, American Family Mutual Insurance ran its IT operations like most other companies do: Business units would hand down an order for a new program or functionality, and IT would build it.
And as in most large organisations, a security manager would attempt to advise developers on vulnerable points and security requirements.
But that approach stretched the lone security manager too thin, says Mike Kleckner, who held that position at American Family three years ago.
So Winnie Schumann, director of enterprise technology strategies at the Madison, Wis.-based company, decided to put security controls into the hands of the systems specialists who knew their technology the best. Then, she handed the choices of individual security controls to the business units that owned the data in question.
All that was needed was someone to decipher the business needs into technical solutions and vice versa. This is where Kleckner and Leslie Peckham come in. They are now the company's information security advisers, coordinating security requirements between IT and business units.
"The business person knows the value of their data, and they know what controls are appropriate, so they should be in the driver's seat," Kleckner says.
Their biggest challenge echoes that of all IT departments: bridging the great divide between technology requirements and business requirements. Bridging this gap takes a certain amount of credibility, which comes from the backing of the most senior IT manager - in this case Schumann, who has also gathered support from the most senior company management.
Once they got this backing, Kleckner and Peckham approached this challenge on two fronts - raising IT awareness in the user community and raising business awareness in their IT support departments.
"How do you describe a [public-key infrastructure] in nontechnical terms and actually get people excited about it? It's a real basic formula: You find out what the business unit wants and give it to them," Peckham explains.
They started by developing a 10-point template from which business units can make informed decisions about their security needs. At the onset of any new project, the security advisers now meet with the business units to discuss their needs and go over the template.
That means asking the right questions, like the following:
• What are your strategic directions? • What do you deal with? • What information is confidential? • What level of protection does that information require?
Once the business unit fills out a project security template, a business partner document is generated. Then the security advisers work with the technologists to address the security areas identified by the business units.
After that, they have to find a way to bring the business mentality of budgets, policies, operational integration and more into IT development teams, Kleckner says.
It's a matter of asking the technology units similar questions, so they can see IT security as a strategic business enabler and overcome their misconceptions that security gets in the way of efficiency, Peckham explains.
The final decision still needs to be made by the data owners. So once the technical specialists turn around a list of suggested solutions to meet the business units' risk requirements, the advisers return to the business units and discuss levels of risk with the business managers who make the final technical security choices that go into the project.
While Kleckner arrived at this position by way of information security, Peckham was an English major then a technology strategist before taking her position at American Family. Peckham says her communication skills and Kleckner's more technical skill set complement each other.
"I'm less technical, so I work on the cultural changes that need to happen in order to enable security to take hold," Peckham says. "I love the awareness training end of the job."
Because their jobs are so creatively and technically demanding, and because security is ongoing, neither Kleckner nor Peckham see themselves moving on anytime soon.
"We see ourselves as being able to change a corporate culture. That is our career progression," says Peckham.
Who: Leslie Peckham and Mike Kleckner Title: Information security advisers Company: American Family Mutual Insurance, Madison, Wisconsin (www.amfam.com) Report to: Enterprise technology strategies director Skills: Ability to explain and transfer technology ownership to business units
When undertaking a new development project, American Family enables the business unit project managers to set security requirements themselves. A key element is a template developed by the company’s two IT security advisers that explains key terms:
Authentication: Who are you? Authorisation: What can you do? Confidentiality and reliability: Privacy and dependability Monitoring and tracking: What did you do? Backup and recovery: Rebuilding the system Physical security: Locking others out Change management: Protecting the production process Legal requirements: What the law expects Training and awareness: What you need to know Contingency planning: What if? Program paybacks: • Every major business unit is already represented by the corporate security board. • Business participation in the company’s security intranet pages is strong. • The corporate compliance officer even co-developed the IT security policies with Winnie Schumann, director of enterprise technology strategies.