In the experience of Marriott International, Inc.'s Chris Zoladz, e-business security is a process, not a project.

That was the message Zoladz delivered at the recent E-Security Conference and Expo in Boston, sponsored by the Intermedia Group. As vice president of information protection for Marriott, Zoladz reports through the legal department, although he is not a lawyer. His function is to identify where Marriott's most valuable business information is stored and how it moves within and outside the company. Marriott has a separate responsibility defined for the technical infrastructure supporting security, which is given to the IT security architect.

Zoladz outlined the strategy his team employed for elevating e-security issues to the highest levels of Marriott's management.

"We set up some guiding principles," he said. The principles state that information confidentiality and non-repudiation are non-negotiable; that business owns the information and is accountable for its protection; that security exists to mitigate business risk; that security must be a business enabler; and that security must be pragmatic and fast.

"Business people have to step up to the plate," Zoladz advised. "IT does not own the information; IT is the custodian."

His team set out to get the endorsement of executive management by getting on the agenda at the highest possible level of business management meeting. "We walked them through the value of information and outlined the business risks," Zoladz said.

Marriott was embarking on an initiative to increase online purchasing for its 2,000 hotels, making some 10,000 items available via a Web catalogue. One example of risk would be incorrect pricing information. The meeting went well. "We got 90 minutes on their agenda, which was quite unprecedented."

Following the meeting, Marriott created a multi-disciplinary Information Protection Advisory Committee (IPAC) for each business unit. This included a senior vice president from the functional area, an IT security architect, IT auditors, and representatives from information protection, legal and human resources. "This engaged business people directly and gave them a greater sense of ownership," Zoladz said.

The purpose of the IPACs is to provide proactive insight about e-business plans, to collaborate on information security issues and solutions, to endorse cost-effective methods for implementing security solutions, and "to set the tone at the top."

Marriott defines four roles around e-business security. Information protection staff members, including Zoladz, are charged to chair the IPACs and monitor legal requirements and compliance. The IT security architect protects the enterprise from intrusions, viruses, information theft and corruption. The architect also implements security solutions selected by the business, and leads pre-deployment security validation. Business leaders participate in the IPACs, and select security solutions based on the costs and the risks associated with alternatives presented by IT. Business leaders also proactively engage other disciplines in e-business strategy discussions. Finally, IT auditors monitor compliance with company security policy.

"In some organizations, the security officer drives all the solutions," Zoladz said. "We found the spirit of inclusion has increased the level of ownership, particularly on the business side."

Risk assessment is performed by first identifying the most important information supporting the business process. Each of those is ranked on a scale of one through seven. If a certain threshold is exceeded, the team discusses a security strategy for protecting the information.

It does happen on occasion that the business managers decide to accept a level of risk that the security professionals advise against. "We document that," Zoladz said.

In response to a question, Zoladz said Marriott did not require its managers to sign a document that they agreed with the security plan. The questioner commented, "We found it was a powerful step to get people to sign a document saying they would accept a certain level of risk." Zoladz said signing a document would not be a good cultural fit for Marriott, but the email trail ensured against "amnesia' setting in later.

In response to another question, Zoladz estimated that Marriott is spending 4% to 5% of its IT budget on security.

The critical success factors for any company embarking on a comprehensive e-security strategy should include the following, Zoladz advised:

  • Enlist the executive sponsor.
  • Maintain the businessperson's perspective.
    "We are in business to make money, not to create firewalls." He advised against having technical personnel lead the charge for getting security funding from management.
  • Ensure security is part of e-business funding.
    "If it's budgeted, it will get done. If it's not budgeted, it can't get done."
    For example, Marriott was printing the Social Security numbers of customers on certain printed forms. IPAC members agreed that was not really necessary and posed a certain security risk to the customers. "But when it came time to print the forms again, that was not such a high priority," Zoladz commented.
  • Be flexible.
  • Promote security as a process, not a project.