Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Kenneth F. Belva

Improving Your Security Posture: The Citibank Scorecard

I attended a reception after the UN conference for Web Development 2006 organized by AIT Global.

In the course of the reception I met Brad Hildreth, a Vice President in the Information Security Department within the Technical Infrastructure Group at Citigroup.

Our discussion centered around improving the security posture within an organization.

He told me that his group will query various divisions within the company, place the corresponding metric next to the division head’s name and distribute the score card to management. Since the division head managers are very competitive and do not wish to be seen in a negative light for performance reasons, the managers at the bottom will correct the issue and then score above the other division heads. When the metrics are recalculated and the new performance cards are distributed, the managers who are then on the bottom will forge ahead to the forefront. The happens ad infinitum until the issue is ultimately resolved and the metrics meet the necessary baseline across all divisions.

This may not apply to every company, but it is worth thinking about if one is in an organization that is highly competitive in nature.

(Note: I received Brad’s permission to publish this information at the reception.)


  1. LonerVamp Nov 22, 2006 at 4:50 pm | Permalink

    So, basically looking at the metrics, attacking the lowest denomenator until it is no longer the lowest, then repeating with the next lowest?

  2. Kenneth F. Belva Nov 22, 2006 at 5:24 pm | Permalink

    I think the idea is that people do not want to be last and that those who are singled out as such will fix the issues so they are no longer last. By publishing the metric results, the baseline will improve because people want to maintain their reputation as a high performer. I’d be a bit careful about using the word attack.

  3. LonerVamp Nov 24, 2006 at 2:05 pm | Permalink

    Hehe,I didn’t mean like really attacking the lowest person, just attacking the problem itself. 🙂 Tackling, addressing. Bad word choice either way, though, yes.

Post a Comment

Your email is never published nor shared. Required fields are marked *