In Depth

Security Accountability: The Fault Line

Welcome to a world where projects fail, computers crash and secrets escape...and you don't have to be the fall guy.

By Tom Wailgum

Page 4

When Granger first arrived at Delphi, he laid out a charter detailing the specifics and differences between his responsibilities and those of corporate.

Granger says he and his charter were well-received. It defined the global security policy at Delphi. Considerable effort has been spent ever since spreading a "strong infosec policy that's published everywhere," Granger says. And not just to users but to executive officers through a high-level governance board. "Here, people can't say that they aren't aware of the policy," he says. "The charter has greatly enhanced our visibility and security awareness here. They know who we are."

But it's not solely about getting the word out, he adds. It's how you speak the word and how it's received. It comes down to developing trust with your peers. Which lets them, in turn, feel all the more comfortable shouldering some of the accountability burden. n n nThe silent tension for dardet and his colleagues was palpable over the phone lines. This was an important deal for JM Family. But equally important to Dardet was knowing that the second clause was intact.

The JM Family negotiation teamthe business-side executive on the deal, a procurement person, JM Family's corporate lawyer and two external lawyerswanted more from Dardet. The group played out, over and over again, the ramifications of signing the deal without the second clause in place. They talked about risk and reward. Was this a manageable risk? Was the reward worth it?

On the one hand, the lawyers felt they had sufficient protection even if they didn't get the second clause from the vendor. Dardet, however, was focused on the other hand. "The deal may have worked legally, but [the protection] was very obscure," he says. "I don't care whether it's legally good or bad. I wanted it clear."

Dardet said his part one last time. Specifically, he was less worried about the legalese of the whole affair and more concerned with living with this dealtaking care of the day-to-day security mattersafter midnight came and went. "They all knew my position," he says. "They knew what I was asking for."

Still, JM Family seemed to be waffling, while the vendor's representatives were standing firm.n n nAt Nortel Networks, Timothy Williams, vice president of corporate security and systems for the network communications provider, tends to lean on relationships and solid security processes when he talks about accountability. "The key to accountability is process management," Williams says. "Security is no different than any other process or function, and how we handle business events develops credibility."