That's one of the reasons why Bohlen, who is executive vice president and chief innovation officer at Textron Inc., has created an organizational structure under which the company's top security and privacy officers report directly to him. The model was designed to let Bohlen have a say in enterprisewide security matters. It's also aimed at giving him near total visibility into all facets of information security and data privacy at the US$10 billion Fort Worth, Texas-based conglomerate, which owns companies such as Bell Helicopter and Cessna Aircraft Co.
"It's something we had to put in place, particularly because of Sarbanes- Oxley," he says. "It's helping transform the way we look at information security and privacy."
Bohlen's top-down approach to information security is an example of the new strategies that IT leaders say are needed to comply with regulations and deal with emerging security and privacy threats.
"The one point about security that is being widely recognized is that it's an enterprisewide issue and not just a technology issue or an IT issue," says Mark Resmer, formerly chief technology officer at eCollege and now CTO at Whitney University in Dallas.
Increasingly, the key to a successful security strategy is in being able to connect the technology issues to the business issues, says Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa.
"You can't ignore the technology issues," Lindstrom says. "But you've got to be able to connect all the bits and bytes and tie that back to the business issues."
New kind of security
Several factors are changing age-old notions about the information security function and its place in the organization, say IT leaders.
Traditional network perimeters are fast disappearing, if not already gone, as companies connect their networks to those belonging to partners, suppliers and customers. The trend is exposing companies to greater risks than ever before, even as cyberthreats and the people behind them appear to be getting more sophisticated.
Companies are also under pressure to demonstrate due diligence when it comes to securing their networks and data, whether from statutes such as the Sarbanes-Oxley Act or data privacy regulations such as California's SB 1386 law.
Adding to the challenge of securing enterprise data is the proliferation of mobile and wireless workers and small storage devices, such as thumb drives capable of storing gigabytes of data, says Eric Gorham, director of IT at the Regional Justice Information Service, a data processing center serving law enforcement agencies and other public-sector bodies in the St. Louis area.
As a result, security today needs to be not so much about technology but about "people, processes and of accountability throughout the organization," Resmer says.
User training, awareness and education are as important as technology when it comes to implementing an effective security strategy, he says. Also key is the need to view information security as a business-enabling function rather than as just a cost center that always "prevents people from doing things," says Resmer.
One example is eCollege's approach of allowing employees to use their own PCs and laptops when connecting to the company's network, Resmer says. This is despite the fact that eCollege - like the universities and other academic institutions it serves - operates in an environment that's long been considered especially vulnerable to hacker attacks. "We can try to prevent people from using their personal systems, but then you are only encouraging them to find ways around that," Resmer says. Instead, eCollege allows it, as long as users meet certain prescribed safeguards.
In the end, it's about "making security something that isn't just the CIO's problem," he says. "Make it the CTO's problem, the CFO's problem, the CEO's problem and the board's problem."
And make sure there's involvement at the very top, Bohlen says. As a global organization with offshore operations, Textron's security challenges include protecting its intellectual property and complying with rules that prohibit certain kinds of data from being handled at offshore locations.
Every month, Textron's chief information security and privacy executives brief Bohlen on key events and trends pertaining to enterprisewide information security and data privacy issues. Bohlen also gets feedback from individuals within each business unit who report directly to him.
Quarterly audits by an internal team and an annual audit by an external firm further augment Textron's security efforts and ensure that internal compliance goals are being met.
And there's no such thing as overcommunication when it comes to information security, says Hari Bezwada, program manager for IT systems at the Pentagon Renovation & Construction Program Office in Arlington, Va.
Bezwada, for instance, is in charge of requirements-gathering in a massive ongoing effort to combine networks belonging to the U.S. Army, Navy, Air Force, Marines and the National Military Command Center into a single unified command center. The effort entails getting each of the services and agencies to operate off a common network backbone with standardized servers and storage. It requires the agencies to adopt standardized security and firewall rules that can be managed centrally while also accommodating the unique security requirements of each agency.
Key to making it all work is communication, says Bezwada, whose IT team is working with operational leads from each agency to learn about their specific security requirements and alleviate any fears they may have.
The approach guarantees their support while also ensuring that broader goals are met, he says.
"Communicate, communicate, communicate," says Bezwada. "Communicate up your chain to senior leaders to get their buy-in. Communicate across your community to get information and learn from others who may have gone through, or are going through, a similar experience. And communicate with your users. They're the ones who will make or break your project."