Client’s Challenge: A New Chief Security Officer Demands Better Security Policies
“Our security policies need attention,” the new Fortune-ranked company’s security leader explained. The global powerhouse’s many corporate divisions – organized by product, geography or the structure of companies when they were acquired – had dozens of security-related policy masters, manuals and executive memos in a dizzying array of formats.
While one division had been diligent in defining its own policies, others had virtually none. Many were out of date. Some were unclear. Or in conflict. Or incomplete. Most importantly, the company lacked a common set of security policies standardized across all of its businesses, regions and product groups.
Our Solution: A Complex – and Exhaustive – Process Pays Off
Rationalizing this state of affairs was a complex undertaking. Working closely with the client’s security team, Hillard Heintze helped (1) draft an initial Table of Contents organized by security domain, (2) identify existing source documents and (3) prescriptively map this content to the emerging framework. Then complexity set in.
“Security policy standardization at the enterprise level has to be advanced carefully,” explained the Hillard Heintze project manager. “Is this to be a physical document or a dynamically maintained manual on the company’s Intranet? Is the scope merely the domains ‘owned’ by the Security Department – or all security-related policies published within the company including those owned by other departments such as HR, IT, Compliance, Risk Management or the legal team? And how do you manage exceptions?” As the team burrowed into internal documents and intended outcomes, key issues with major long-term implications continued to unfold.
Impact on the Client: With Policy Centralization and Standardization Comes New Awareness and Internal Efficiencies
In months, this company’s handful of business divisions, scores of managers and thousands of employees will be able to visit one site on the company’s intranet. There, depending on their access privileges, they’ll be able to view, learn, comment on and contribute to a common set of global security policies. And, for the first time in many years, this company’s governance, risk and compliance executives will be able to review and assess the company’s exposure to security-related processes and protocols – and take action to better manage the company’s risk.
Unplugged: The Project Manager's Post-Engagement Perspective
“Standardization is never a one-off solution. Change happens. Agility matters. Internal demands for waivers and exceptions challenge the client’s need for consistency and, wherever possible, simplification.
We help the client make their own decisions. It’s not right for us to decide because we don’t own the outcomes. Where we add value is helping the client understand where, how and why other organizations resolved a similar challenge in policy standardization. And if we do our job well, the client will make the best decision – knowledgeably, with context – for themselves.”