It's clear from our interviews that effective information security programs are made, not born. Here are five building blocks from organizations that have built strong security foundations.
1. Measure progress. Cigna's Shumard relies on two metrics: benchmarks and scorecards. The benchmarks cover 19 security categories, such as networks and applications, each scored on a 10-point scale by an outside auditor. "Ten is safe as you can be," says Shumard. "Five is considered due care, meaning you'd pass most audits."
Cigna's board is briefed annually on the benchmarks, which have been in use for 10 years now. They not only lay out the company's progress (and setbacks) year over year, but also show how Cigna compares with companies of a similar size and complexity. The security team highlights efforts to improve scores where necessary.
2. Train business leaders. Vanguard rotates key businesspeople through the security group for blocks of time. CEO McNabb says the benefits are twofold: The security team stays grounded in the realities of the business; and executives learn more about security, then bring that knowledge back to their units.
McNabb also takes pains to keep himself up to date on security issues. He has quarterly briefings with his infosec team, including detailed discussions on strategy and planning. He even accompanies the security group to the lab to get demonstrations of new technologies being tested or rolled out.
Cigna takes a similar approach by establishing information protection (IP) champions and IP coordinators in each business area. Champions are senior people in major business units who ensure that security issues are addressed at a high level. They're supported by a larger group of IP coordinators, generally lower-level people, such as a manager of a customer call center or an office manager.
The IP coordinators are intimately familiar with day-to-day business operations. In other words, they know how employees get their jobs done and have great visibility into business practices that might present risks.
Shumard says these champions and coordinators provide valuable input into how information protection policies are developed and implemented within their own units. Both groups also may identify potential security issues not covered by policies already in place.
"You can't have a small organization deemed 'security' that would be able to address the needs of a large corporation," Shumard says. "It needs to be embedded and owned by the businesspeople."