In Depth

Security Accountability: The Fault Line

Welcome to a world where projects fail, computers crash and secrets escape...and you don't have to be the fall guy.

By Tom Wailgum

Page 5

Process management, with a clearly defined, easy-to-follow set of guidelines for handling security matters, is another way CSOs can manage accountability. Along with raising awareness, process management can reinforce the expectations that the security department has for everyone. "Fundamentally, security is a process. That means that it is not a tool; it's not a piece of hardware or software," says SunGard's Herberger. "It is about your risk tolerance. About your company's culture. And there's no way that it can be solely with one staff function."

At Nortel, Williams tries to involve as many different functions in his security process as possible. He works with members from various cross-functional groupswith internal audit and the insurance group, for example. Deeper within his security process, you'll find three core elements: risk assessment, enterprisewide collaboration and strategic planning. Williams staffs his department with people who come from a variety of different areassystems security engineers, of course, and global thinkers, a leadership team with MBAs, and subject-matter experts who can "cut across security and think in terms of the whole organization," he says. As part of the process, he and his team continually assess and reassess all of their client groups' needs and vulnerabilities. They use eight matrices in looking at each operational area, whether it is a new proposal or a system overhaul. "I own the process," Williams says confidently. "There are a number of processes here that have my team's signature on them." But, he and other CSOs add, all of the security processes should have everyone else'sincluding the business execs'signatures on them as well.

If and when it's needed, Williams also has a process that takes care of follow-up and investigationwhen something goes wrong and fingers start to point. Though Williams won't discuss the specifics of anything that actually has gone wrong at Nortel, he'll use the example of a breached network to describe what he would do. If something happens, he says, he and his team members will go back, review the situation and ask, What did we miss? Should we have better prepared? Then he'll go back to his strategy and reassess that. "For security events that do occur, you have to review them carefully and quickly," he says. "If it was wrong in the way that it was handled, then that's my responsibility." He also gets out and solicits feedback about crises from all levels of the organization. He talks about security events and presents findings to senior leadershipthereby raising awareness and promoting his processes at the same time.