A security breach is about to occur at your company. Think fast. Who will slam the electronic door on a hacker without erasing evidence of the digital misdeeds? Would someone in your company have the presence of mind to activate door and badge systems, pull access files and look for other signs of a physical break-in -- or would those thoughts surface days or weeks later, after it became clear that the hack was an inside job? When the time came to charge the perpetrators, would you or someone who works for you feel comfortable advising your company's lawyers on whether or not to prosecute or settle the matter out of court (and out of the public eye)?
With its new Information Protection Team headed by former FBI supervisory special agent John Hartmann, Cardinal Health can answer yes to those questions. Hartmann is the vice president of security for the $30 billion Fortune 100 health-care manufacturing and distribution company, which has 40,000 employees worldwide. He and his small team of security specialists oversee all aspects of asset protection -- including digital data, a job many people consider to be in the purview of IS.
Hartmann's group of 15 acts like an internal SWAT team, helping Cardinal's business units determine the value of their data, assess the extent of its risk, and decide on practical security levels on a case-by-case basis. "The philosophy was to look at security in a holistic sense," says Hartmann. "We had firewalls, and we had people with a portion of their jobs related to security, but there was no dedicated team to address the big-picture aspects of protection."
This global view of physical and digital security helps Cardinal maintain a clear minimum level of security throughout the company. It also helps identify when actions in one division could compromise security. If the worst-case scenario should occur, it ensures that the company is ready to respond and defend its assets in both the physical and virtual worlds.
While those goals sound sufficiently well intentioned, are you willing to give up corporate real estate or entrust the safety of your business-critical digital assets to someone in a separate security division? If your gut answer is no, you may need to sleep on this one. Security industry watchers and some analysts say an independent, elevated security function is fast becoming a requirement for companies that need to protect their digital assets on several fronts.
At Cardinal, Hartmann receives full and enthusiastic support from Kathy Brittain White, CIO and executive vice president, and Tony Rucci, the executive vice president and chief administrative officer. The bottom line? You could well be looking at your next organizational structure.
Get Physical
When Hartmann joined Cardinal Health in October 1998, the Dublin, Ohio-based company was in hypergrowth mode. Hartmann was brought in to keep on top of its mushrooming need for plant security, theft and tampering prevention, and the other precautions typically addressed by security officers.
Then-COO John C. Kane, who has since retired, was concerned that Cardinal was expanding so fast that it was in danger of outgrowing its security function, says Hartmann. "The original plan was to keep up with the physical security -- cameras, gates, and access control -- and tackle the larger things that don't necessarily always get done like crisis management, risk assessment, and investigations into theft loss and product tampering." One of those things was protecting proprietary information, which is Hartmann's specialty. In his last position with the bureau, he investigated trade-secret thefts, hacking, and other types of corporate information loss.
Hartmann spent his first six months surveying internal operations and gathering security benchmark data from contacts he had made during his tenure at the FBI. After asking individual business units in Cardinal to spell out their security procedures and concerns, he concluded that the company sorely needed an information protection policy to serve as a baseline for security practices. "The individual business units lacked a global view," says Hartmann. Some groups, One unit may not have assets that are as high on the risk scale as another's, but their actions on a large, decentralized network affect everyone. -JOHN HARTMANN typically those with sensitive data, were very competent regarding their security practices, but other groups were not. "One unit may not have assets that are as high on the risk scale as another's, but their actions on a large, decentralized network affect everyone. People don't always realize the implications their actions can have outside of a centralized IT function. All it takes is one box connected [improperly] to the Internet."
Hartmann called his A-list of corporate contacts from his FBI days and asked them to offer their best practices regarding security.
Hartmann's best practices contacts all worked in companies with a security team reporting to IS or on equal footing with IS. "Companies with information protection outside had increased objectivity and investigative skills, and knowledge that doesn't normally reside in IT." For example, he says, traditional security officers often have some kind of investigative training, a skill IS workers rarely possess.
Armed with those observations, his discoveries about Cardinal's business units and his previous experience in proprietary data protection, Hartmann pitched the idea that physical and information security should be combined into one functional unit of responsibility (the plan was formally adopted in the spring of 2000).
"The door was open for me to do what I had to do to show
The message we want to sent is that Cardinal takes information ans security very seriously. -JOHN HARTMANN
the company where I thought we should be," Hartmann says. "Cardinal is a company that creates and utilizes a vast amount of proprietary information. We do a lot of R&D, we have a lot of self-manufactured products and vast amounts of customer information, patient data and pricing information. All of that is critical to our business." Without policies, practices, and review processes to address both physical and electronic vulnerabilities, he argues, the company would be hard-pressed to protect those assets.
Cardinal wins points for merging physical and digital security from Forrester Research senior analyst Frank Prince, who says integrated security makes sense for many companies and is a must for those involved in e-business. IS brings its obvious expertise in network intrusions, and traditional security personnel have more experience in areas like forensics and civil and criminal lawsuits.
Cardinal has already had experience with such malicious intent. Like all other security executives, Hartmann is reluctant to talk about breaches at Cardinal, but he acknowledges that two former employees were scheduled to go on trial in March 2001 for theft of trade secrets. Hartmann is slated to testify in the case and can only say that the incident was a combination of digital and physical (an electronic plus hard-copy) theft, the investigation happened under his watch, and he recommended to senior executives that the company press charges. "The message we want to send is that Cardinal takes information protection and security very seriously and will go to all means to protect that information," he says.
To Assist and Advise
Hartmann's group is charged with four primary responsibilities:
- Developing and updating security policies that are understood and agreed on by business unit leaders and effectively communicated and enforced throughout the organization
- Conducting vulnerability assessments of networks and systems, as well as filing cabinets, desk drawers, and any other place where security breaches might occur, whether digital or physical
- Collaborating projects
- Detecting intrusions and coordinating emergency response when a security breach occurs or a cataclysmic event hits the company
In other words, Hartmann's team talks about the need for firewalls rather than installing them. "John isn't doing password protection and firewalls. That's our job. All the security that you need for applications is our responsibility," says CIO White, who doesn't feel she is losing "real estate" to Hartmann. "He covers things like patent protection that my group would never deal with. I think of what he does as an enhancement rather than giving up ground."
White presides over a $250 million, 1,500-person operation and has responsibility for all IT initiatives, including the company's business-critical Cardinal.com e-commerce project. The role of Hartmann's 15-person team is "to assist and advise."
Every Cardinal business group, including IS, is ultimately responsible for its own day-to-day operational security. Hartmann's group provides global intrusion detection, easy access to security expertise, an enterprisewide view of data protection and, if all else fails, a targeted response team trained to minimize damage and preserve evidence.
"I focus on what's right for my area. They're looking at the big picture for the whole company," says Mike Beck, manager of telecommunications and technical shared services, which has called on the Information Protection Team when developing the company's Internet infrastructure for Cardinal.com. "We go to them and get their opinion first, and we follow their guidelines in setting up our security features."
"John has acted as a consultant to the CIO and to me to help us figure out what the state of the art should be on information protection," says CAO Rucci. "But it's very clear in my mind that the accountability falls with the CIO for anything and everything having to do with information security. Kathy White has full involvement and veto power over information security."
Hartmann and White have nothing but praise for each other and their collaborative environment, and each insists that in two years they have not encountered an impasse that couldn't ultimately be resolved through bargaining and negotiation. "I get asked to make judgment calls in situations where the ideal scenario is X, the practical solution is Y, and the minimally acceptable solution is Z," says Rucci, who gets the occasional jump ball kicked to his office. "We have to take it on a case-by-case basis, but the big question is always, What is in the best interest of our customers and our shareholders?"
Collaborate Early and Often
In his benchmarking research, Hartmann realized that organizations with the most effective information protection strategies had created a team of experts who functioned like internal business consultants. "That's the model we adopted," he says. Although he refers to his team as a service organization and his business-unit users as clients, funding comes from the corporate budget rather than a charge-back basis.
The goals of Hartmann's team are to emphasize collaboration, get involved in projects as early as possible when security considerations can easily and inexpensively be built into applications to offer solutions, instead of simply pointing out transgressions. "The old days of in-your-face security are gone," Hartmann says. "You can't just point your finger at someone and say, 'Your system's not secure.' You've got to bring him a solution."
For instance, when White was in the planning stages for Cardinal.com, the company's procurement and reporting site for health-care corporations, a representative from Hartmann's group was involved to establish security policies, provide security guidance and conduct a security review when the project was ready to launch. However, the nuts-and-bolts details of passwords, firewalls, and so on were left to e-commerce designers in individual IS groups like Beck's.
When business unit managers disagree with security advisers on the level of protection a particular project needs, business value is always the tie breaker, Hartmann says. The Information Protection Team's formal mission is to "ensure the integrity, confidentiality, and availability of critical information and information assets while maintaining the competitive agility of Cardinal Health business units." In other words, Cardinal wants to be as secure as it can be.
Hartmann is all too aware that security people, especially former FBI employees, can come off as paranoid fanatics. "We constantly balance risk versus accomplishment. The Hartmann is all too aware that security people, especially former FBI employees, can come off as paranoid fanatics. onus is on us to come up with security solutions that don't hinder business goals." In building the Information Protection Team and developing security guidelines, Hartmann first convened an advisory committee comprising representatives from legal, risk management, internal audit, HR, IS, and other key departments to establish standards and working procedures. "If you want people to feel like they own the policy, you have to pull them together and ask for their input. If you want a team response, you have to have the group offer solutions right from the beginning."
The team often tries to walk business owners through the process of understanding just how much their knowledge assets are worth to the company and just how vulnerable they may be. Once business units have a full idea of what their assets are worth, they're often more likely to agree with the team's security recommendations.