Almost everyone agrees that proper security stems as much from good policy as it does from technology, but you don’t hear much about how to create great policies. Arun DeSouza is responsible for policy and a whole lot more at Inergy Automotive Systems, a manufacturer of plastic fuel systems that sells to automakers around the world. With some 4,500 employees in 18 countries, it’s not possible to create policy by consensus. DeSouza explains the strategy he used to shape Inergy’s security policies and shares his view on how proper identity management can make security a business enabler rather than a burden.

What is your role within the Inergy organization?

I head a global group called Strategic Planning and Information Security, which is a division of Information Systems and Services, what we call IS&S. I report to Inergy CIO Francois Fromange, with a dual role: I manage IS&S governance initiatives, such as Budget and Risk Management. I also serve as Inergy’s CISO.

Why did Inergy combine the strategic planning role with security?

The central themes interconnecting these areas are governance and process. Strategy, of course, is an ongoing process, and it helps promote alignment between IS&S and the organization to ensure IS&S is addressing current and future needs. But as we engage in new technology projects to enable the business, the impact of security should not be forgotten. Another key consideration is prioritizing new investments and managing the IT project portfolio.

What do you mean by governance?

Governance is the process and discipline to make sure that enterprise objectives are aligned in a proper discipline framework. There are several different angles, including accounting and financial controls. Then there’s governance centered on portfolio management: making sure projects come in under budget, deliver the value they promised and align with enterprise objectives. There’s also a compliance tier to it. Governance is actually a catch-all role for the idea of important business management disciplines. It’s not just IT, it’s really a business function. I focus on governance for IT, but governance can be extended to the whole business itself.

Who was involved in shaping security policies at Inergy?

We had a cross-functional team involving human resources and IS&S, as well as the legal department. The team had a variety of representatives, but the objective was to come up with a core set of policies based on industry best practices and [International Standards Organization] guidelines.