Harland Clarke Rechecks Risk Management

New security program adds more systematic processes for evaluating, prioritizing and mitigating risk

. What's this?

By

October 16, 2007CSO — Three and a half years ago, Harland Clarke Holdings' approach to security was very much in tune with its identity as a market-leading manufacturer of checks and check-related products for businesses and consumers. Security, according to John Petrie, chief information security officer at the San Antonio, Texas-based company, was a tactical concern that focused on the production processes in its nine plants throughout the U.S.

But that approach was becoming a bit old-fashioned as Harland Clarke expanded beyond its manufacturing roots, adding customer contact centers, direct response marketing services and electronic commerce capabilities to its offerings.

"There were issues around protecting electronic data, and our printing processes had changed over to the digital age,

so there was a transformation that had occurred," Petrie says. "We knew we had to change our risk management structure."

That's why, when Petrie was asked to join the company in 2004, Harland Clarke (named Clarke American at the time) was on the brink of a CEO-driven reinvention, not just of the processes it used to make security and risk management decisions but also the way its entire culture viewed security. In order to retain its competitive position in the market, "we wanted to become a secure provider of checks and check-related services, versus just a manufacturer," Petrie says.

Meanwhile, by 2005, Harland Clarke's own customers—financial institutions—were demanding more security controls and risk programs from their suppliers, thanks to regulatory changes that required them to prove end-to-end security in their supply chains.

Three Priorities

The top three priorities of the new security program, Petrie says, included taking advantage of enterprisewide quality processes (the company won a Malcolm Baldrige National Quality Award in 2001); linking security and risk mitigation decision processes to the business's operating plan and strategic growth goals; and ingraining security into the mind-set and daily activities of Harland Clarke's employees. "We wanted to make sure security wasn't a thing that sits out there and functions on its own," Petrie says.

It was essential, Petrie says, to leverage Harland Clarke's quality program in the design of the security program, especially to enjoy the cost savings. "We were able to take advantage of the solutions we implemented for quality in the areas of identification, notification and prevention," he says. For example, in each plant there are personnel in charge of monitoring and maintaining quality processes. Now those same people are also responsible for determining whether events that could potentially affect quality might also impact security, such as changes to plant schedules or machine malfunctions.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER