Until early 2013, the IT team tried to enforce a very orthodox security strategy on the organization. It created strict policies, rules and controls that all subsidiaries were expected to follow. Given the culture of the organization, this approach was not very successful.
The group’s CIO realized that something had to change, and started exploring alternative approaches that would be more suitable to the organization's autonomous culture and structure. He opted for a PCS strategy that was based on trust.
The trust-based security strategy empowered decision makers within the enterprise's subsidiaries to make their own risk-based decisions. In essence, it was up to the subsidiaries to make most security control decisions, with appropriate support and guidance from group’s IT team. This enabled a more collaborative approach that is much more aligned with the organization's culture to minimize risk and maximize the use of a wide variety of IT services. This was in stark contrast to the previous policy-based dictatorial approach.
The IT team continued to develop and improve its security education program to support the trust-based strategy. In parallel, the group’s CIO reached out individually, via email, to every managing director or president of every subsidiary, outlining the proposed new approach. The rollout of the new strategy was followed up with regular joint strategy review meetings between group’s IT team and subsidiary executives.
From a security perspective, the IT team is now seen more as a strategic partner by the subsidiaries, rather than an obstacle. The subsidiaries make their own risk-based security decisions, guided by the principles and core standards, with the IT team providing appropriate advice. IT also gets invited much more frequently to support the subsidiaries with their risk decisions. The overall result is that security risk management in the enterprise has improved because:
- IT, as a corporate function, now has much better insight into the overall risk position of the enterprise.
- The collaborative approach enables the subsidiaries to make improved risk decisions.
The culture of the organization was a key enabler for the trust-based approach, as was visible executive support. Care had been taken to ensure that the company did not fail in its standard of due care in various regulatory requirements.
Ongoing communication was also vital, not just to overcome the objections of the few IT managers, but also to maintaining the ongoing impetus of the strategy. Overall, security and risk leaders must carefully consider whether PCS is appropriate for their organization and ensure that the appropriate enterprise environment exists for PCS. PCS is not a tool for initiating cultural change.