Good policy makes for good security

Inergy Automotive shares strategies for creating policies that apply across the globe

Almost everyone agrees that proper security stems as much from good policy as it does from technology, but you don’t hear much about how to create great policies. Arun DeSouza is responsible for policy and a whole lot more at Inergy Automotive Systems, a manufacturer of plastic fuel systems that sells to automakers around the world. With some 4,500 employees in 18 countries, it’s not possible to create policy by consensus. DeSouza explains the strategy he used to shape Inergy’s security policies and shares his view on how proper identity management can make security a business enabler rather than a burden.

What is your role within the Inergy organization?

I head a global group called Strategic Planning and Information Security, which is a division of Information Systems and Services, what we call IS&S. I report to Inergy CIO Francois Fromange, with a dual role: I manage IS&S governance initiatives, such as Budget and Risk Management. I also serve as Inergy’s CISO.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Almost everyone agrees that proper security stems as much from good policy as it does from technology, but you don’t hear much about how to create great policies. Arun DeSouza is responsible for policy and a whole lot more at Inergy Automotive Systems, a manufacturer of plastic fuel systems that sells to automakers around the world. With some 4,500 employees in 18 countries, it’s not possible to create policy by consensus. DeSouza explains the strategy he used to shape Inergy’s security policies and shares his view on how proper identity management can make security a business enabler rather than a burden.

What is your role within the Inergy organization?

I head a global group called Strategic Planning and Information Security, which is a division of Information Systems and Services, what we call IS&S. I report to Inergy CIO Francois Fromange, with a dual role: I manage IS&S governance initiatives, such as Budget and Risk Management. I also serve as Inergy’s CISO.

Why did Inergy combine the strategic planning role with security?

The central themes interconnecting these areas are governance and process. Strategy, of course, is an ongoing process, and it helps promote alignment between IS&S and the organization to ensure IS&S is addressing current and future needs. But as we engage in new technology projects to enable the business, the impact of security should not be forgotten. Another key consideration is prioritizing new investments and managing the IT project portfolio.

What do you mean by governance?

Governance is the process and discipline to make sure that enterprise objectives are aligned in a proper discipline framework. There are several different angles, including accounting and financial controls. Then there’s governance centered on portfolio management: making sure projects come in under budget, deliver the value they promised and align with enterprise objectives. There’s also a compliance tier to it. Governance is actually a catch-all role for the idea of important business management disciplines. It’s not just IT, it’s really a business function. I focus on governance for IT, but governance can be extended to the whole business itself.

Who was involved in shaping security policies at Inergy?

We had a cross-functional team involving human resources and IS&S, as well as the legal department. The team had a variety of representatives, but the objective was to come up with a core set of policies based on industry best practices and [International Standards Organization] guidelines.

We created a straw-man policy using our parent company policies and industry best practices. Then we worked section by section and just refined it through [Microsoft’s] NetMeeting and conference calls. In certain instances, we’d have in-person meetings with people from the legal department from both our corporate Inergy location and the parent company as well to make sure the policy didn’t conflict with any privacy or other regulations in any specific region.