How Woolworths made IT risk a business issue

When Woolworths business executives "didn't get" an IT security presentation prepared by the company's risk manager Peter Cooper, he re-designed it in their language.

Today Cooper described how he managed to explain IT security threats to executives more concerned with the everyday business of running petrol stations, liquor outlets and supermarkets.

He delivered a presentation at CeBIT Australia's IT security conference in Sydney in which he described the winning over of Woolworths' business people as the key challenge of his past three years as group information risk manager at the organisation.

IT staff had responded well to his original wordy, 13-page presentation about IT security risk, Cooper said. But the presentation "didn't map to things [business managers] worried about".

He said his presentation was better received after being condensed into four pages of diagrams, and renamed 'A Business-Driven IT Strategy'.

"If I can't explain what I'm doing to my key stakeholders in a way that makes sense to them, then I can't do my job," he said.

Cooper joined Woolworths in October 2007 after having spent ten years as a system security manager at the Reserve Bank of Australia.

His first year was spent determining the "lay of the land"; designing a roadmap and building awareness of security and privacy issues within Woolworths.

With 180,000 staff in various divisions - including supermarket, petrol, financial services, liquor and electronics - introducing enterprise solutions could be a political challenge, he said.

"There were some guys who didn't know what I did at all," he recalled.

For one petrol executive, Cooper described a DDoS attack as people who didn't want to buy petrol "clogging up driveways in a petrol station".

Another manager in the grocery division was warned of malicious programs that could disable payment-processing systems.

Fresh results

Compliance with the payment card industry data security standard (PCI-DSS) is now seen within Woolworths as a "business problem that also involves IT", Cooper said.

Divisions are similarly assessed against quantitative, "group-wide metrics", including compliance against the PCI standard.

New projects are now required to be compliant with the PCI standard from inception - despite initial arguments that compliance was not required of previous projects.

"Today is the first day of the rest of your life," Cooper said when describing the cultural change needed.

"It's easy to become compliant, but it's really hard to maintain compliance," he noted. "You see regularly companies that have PCI breaches; it's the sustainability that's really important."

Cooper credited "very strong business support" for its security successes, thanking Woolworths' CIO for advocating the strategy, the CEO for highlighting privacy concerns, and the CFO for highlighting PCI concerns.