Computerworld - My boss loves to tell of his presentation at a Cisco sales conference that ended with audience members standing on their chairs, clapping and hollering with glee. I have to admit I got a different reaction to a recent presentation of mine.
My company has become part of a larger group that is trying to merge cultures. A range of companies makes up the new company, and a headquarters team was formed to bring everything together.
Other companies in the group have outsourced their IT services to a third party (I'll call them "Acme Corp."), but we haven't. Those business units aren't so sure of the details of their security positions. They haven't explicitly listed IT security services in their outsourcing contracts, so there's a gray area. By the letter of their contracts, they don't receive any security services, but they've always managed to get some in the past either by inheriting what Acme does as the standard or by bullying or shaming the vendor into doing the right thing.
The other business units are under pressure from regulators and auditors who want to see compelling evidence that IT security is built in throughout the organization. They are looking for coherent policies, a management structure for security, and clear roles and responsibilities.
I was asked to represent my company at the first group security committee meeting. This team was set up by managers at headquarters who have "security" in their job titles. They invited representatives from each business unit, as well as a one from Acme, whom I will call John.
The aim was to help kick-start the process of sharing information and provide input into policy, roles and responsibility documentation. I'd been invited to talk about the areas of IT security that my unit covers in-house.
From the moment I arrived, it was clear that the senior staff hadn't reached a consensus regarding the best way to approach this topic. I met a chief security officer who explained that IT security and business continuity were both subsets of what he covered. Then I met the global head of business continuity, who explained that he covered physical security and IT security was a subset of that.
Shortly thereafter, the senior staff's new boss called us all in and told us that headquarters shouldn't be doing things for group companies such as holding committee meetings like the one we'd all just arrived to attend. Instead, he said, it should carry out a more remote role, checking to make sure we were
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
