- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
CSO - For Kim Keever, security knowledge (no matter how thorough) is not enough. Vice president of information security and controls for Coca-Cola, Keever and her team of 60 security staffers have the expertise to implement security technology and practices in addition to evangelizing security awareness.
To Keever, this is a key distinction. Some security groups are set up as subject-matter experts for the rest of the organization, advising on what to do and remaining silent on how to do it. Keever believes this approach undermines credibility. "You can't just be a security specialist. You have to understand how to get things done in the IT space. I could not just pick technology and hand it over to another group in IT to implement it," she says.
Given her background, it's unlikely Keever would ever take a backseat approach to any aspect of security. She began her career as an IT consultant in the mutual fund industry, specializing in cross-functional team management and disaster recovery and business continuity. This led to a post as CIO for Invesco's retirement group back in Atlanta, her hometown.
"I focused on all aspects of IT but had a special interest in ensuring controls were in place in environments leading to a focus in security tools and audit practices," she says. When Invesco's retirement group was sold off, Keever seized the opportunity to spend a few years at home with her young children.
In 2009, she was recruited to enhance controls for Atlanta's Coca-Cola Enterprises (CCE), then the largest bottler in the Coke system. There, Keever led an effort to enhance access controls, and role was seen as important when Coca-Cola moved to acquire CCE's North American operations, which became Coca-Cola Refreshments (CCR) in 2010.
"They wanted to focus on aligning security with the Coca-Cola Company standards in this North American business unit," she says.
Following the acquisition, CCR's risk posture changed because it was now connected to its parent company's environment. "Things had to be modified quickly. We had the added pressure of needing to align with a global company that had a different set of security standards," she says.
Keever moved quickly to build her team, which she sourced both internally and externally. "I have a diverse group of people who had systems implementation experience, people that come from IT audit, and people that worked at the security vendors. My team is security-focused but business-minded and knows how to get things done."
One of her team's first initiatives was implementing a role-based identity- and access-management security infrastructure that allowed employees to serve themselves in many cases. For example, new hires are automatically provisioned and receive network access without having to go through the typical paperwork and manual processing. At the same time, Keever worked to simplify compliance with security practices for employees by easing password management by using a cross-company password-management tool and a federation platform.