All too often, internal politics get in the way of standing up IT projects that seek to mitigate risk rather than make a clearly defined return on investment. How do you get management buy-in? Stephen Withers investigates, using Australia Post as an example.
The IT security department at Australia Post had twice attempted to establish a business case for the use of data loss prevention (DLP) software, but twice has been turned down, according to the organisation's former chief privacy officer, John Pane.
Data loss prevention software detects and in some cases prevents confidential or sensitive data from being transferred off a system or network via unauthorised means.
A breakthrough came when Australia Pane refused to give his assent to a proposed IT security policy covering the use of USB devices because it didn't include DLP.
Challenged to rewrite the business case, Pane included factors such as the effect on Australia Post's reputation and brand equity if a serious loss of data occurred.
Surveys at the time showed Australia Post to be one of the country's most trusted organisations. The Government-owned corporation handles a great deal of personal data through its agency arrangements for handling passport and driver licence applications and other sensitive matters.
Consequently, reputation was and remains critically important to Australia Post.
Pane's rewritten business case was sent straight to Australia Post's managing director, bypassing other executives, and significantly, this fast-tracked its quick adoption.
Australia Post selected McAfee's data loss prevention software to help put the policy into effect.
Pane - now chief privacy officer at iappANZ, the local chapter of the International Association of Privacy Professionals - recalled to attendees at McAfee's Focus 2010 security conference that Australia Post had a comprehensive security policy, but it was incomprehensible to most employees and no effort had been made to communicate it to them.
Further, the organisation had been using a 15 year old Defence Department template for information classification. Australia Post's business and risk environment had changed a great deal since this template had been written.
Pane took ownership of the policy, rewrote it, and put the result into circulation with the assistance of a steering committee comprising around 30 employees from around the organisation.
Pane said there was resistance from some quarters, but he pointed out that there was already policy covering the relevant issues. Once objectors realised the importance of the policy in terms of the need to protect Australia Post's brand, he said, they often began to champion it.
Pane said it was important to keep the business engaged in the process, achieved through the steering committee as well a working group of those directly affected by the changes.
A lot of effort went into communication and awareness raising, he said, which included giveaways of McAfee merchandise.
The IT team needed additional resources to handle the amount of communication needed, but the payback was staff involvement in the process and positive feedback from employees, he said.
While the initial letter to staff about the new policy was drafted by Pane and sent by the managing director, subsequent communications were jointly signed by the chief information officer and the chief privacy officer (Pane).
A side-effect of the introduction of DLP software was that it provided visibility into unsanctioned activities, such as the use of privately-owned USB drives for the exchange of non-work files among Australia Post employees.
But what of the business case itself?
Pane said the net present value of the project was negative over the first three years. Australia Post nonetheless went ahead with it, because the it could not afford to lose any of its agency clients as the result of a data loss incident.
Furthermore, he expects mandatory breach reporting to be in place within two years, so any data loss incidents would be made public and would likely have a serious impact on the Australia Post brand.
Disclosure: The writer travelled to Las Vegas as the guest of McAfee.