Hints for Developing Your Own Security Advocates

Mitch Davis, CIO of Bowdoin College, knew that he would have a problem selling the college community on security improvements, simply because most organizations and people resist change. So before proposing a massive security infrastructure revamp that would ultimately include tighter identity- and access-management controls, he worked with two faculty members to create a course titled “Senior Seminar in Network Security.” The eight students in the class researched existing security practices and used this information to help write a new set of security policies for Bowdoin. The result: These students and faculty became a team of advocates for campuswide security improvements. Davis, who also works outside of academia, believes this technique can succeed in a corporate setting, too. He advises CIOs to assemble a cross-functional team to review corporate security policies against industry best practices and to call in consultants, if needed, to point out security holes and potential exposures. “The goal is…to build a security advocates team that works throughout the organization to support existing practices, develop new solutions and provide feedback to IT,” Davis says. “The best security solutions are those that protect the business and its assets while at the same time empowering the company and the staff. Having people from all departments involved in the decision process helps build security solutions that are supported rather than circumvented by departments and staff.”