Caterpillar Uses Better Intelligence To Drive Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Information Management
08:03 PM
Connect Directly

Caterpillar Uses Better Intelligence To Drive Security

How strategy and a Capability Maturity Model are helping Caterpillar drive its information security transformation.

Plan X: DARPA's Revolutionary Cyber Security Platform
Plan X: DARPA's Revolutionary Cyber Security Platform
(Click image for larger view and slideshow.)

How do CISOs know whether they have sufficient funding? What are the best ways to measure progress? When results have been measured, how can successes and failures be communicated to the rest of the business?

These are questions that CISOs -- as well as any employee involved with information security -- face on a regular basis. They were central to a presentation given by Mike Zachman, deputy CISO of construction at machinery and equipment company Caterpillar Inc., at this year’s Interop Conference.

During his time at Caterpillar, Zachman was responsible for the global development and deployment of the company's information security program. He is currently leading the information security transformation for two of its high-risk business units. 

[The NSA, Surveillance, And What CIOs Need To Know]

In order to measure and communicate progress, demonstrate strategic alignment, and calibrate with program management, Caterpillar adopted a Capability Maturity Model. The model was developed by Ernst & Young using data from 3,500 companies. It helps the team at Caterpillar assess the maturity of its program, see where it stands in relation to its competition, and identify where improvements are needed.

The visualization of its transformational progress, depicted as a single graph on one slide, is an improvement over the pages of numbers and metrics that CISOs typically handle, said Zachman. While the model isn't meant to be extremely precise, it's designed to give a close estimate of how the company is improving and whether it's investing in the right areas.

Throughout Caterpillar's transformation, the model helped employees recognize that it was focused on several areas of information security, but not all of them. Its security maturity benchmark data can indicate improvements made over multiple years or reveal areas where components of its strategy fall short of the industry average.

After two years, Zachman demonstrated, there was a major difference in how the company had improved across multiple areas of information security. The chart also displayed the achievement of major accomplishments, such as times when Caterpillar documented its information security strategy, implemented mobile device management, and demonstrated improved vulnerability awareness through self-phishing exercises.

(Image: geralt via Pixabay)

(Image: geralt via Pixabay)

Zachman noted that it can be tempting for security professionals to put all of its security data into a series of slides, a methodology that seems more fitting given the amount of work that goes into information security. However, creating a more holistic view of progress is easier to understand and communicate.

Caterpillar's model has also helped demonstrate progress throughout the business.

"If you use a consistent model, it does give you the capability to talk to others who may not be information security professionals and give them something to understand," Zachman explained. As many in the field are aware, information security can be difficult to explain to an executive management team or board of directors.

If done well, a Capability Maturity Model like the one employed by Caterpillar can identify areas of strength and weakness while establishing a baseline for future success. However, it doesn't replace the necessary mountains of operational metrics throughout the organization, Zachman noted. People working in critical areas like configuration management and policy compliance need more detailed information to know that they are effectively doing their jobs.

Interop Las Vegas, taking place April 27-May 1 at Mandalay Bay Resort, is the leading independent technology conference and expo series dedicated to providing technology professionals the unbiased information they need to thrive as new technologies transform the enterprise. IT Pros come to Interop to see the future of technology, the outlook for IT, and the possibilities of what it means to be in IT.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
5/5/2015 | 5:21:54 PM
Re: Collaborating to increase security
@tzubair If you're talking about an industry-wide collaboration (among construction companies, electric companies, etc.) to share data, I agree that it could benefit all parties involved. The trouble, I think, is obtaining and organizing that data takes a lot of effort and resources. Caterpillar purchased its data from Ernst & Young, which was a much more efficient way of getting the information it needed to determine its place in the market. That way it could evaluate progress and plan for improvement in less time.
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll