Saturday, February 7, 2009

Thoughts on IT Security Organizational Structure

I've recently been asking myself how to most effectively structure Information Security (InfoSec) within an organization. Here are some thoughts I've had while trying to answer this.

As with any "structure" there needs to be some form of integral support, whether it's a frame for a house or honeycomb for a beehive. This is also true with organizational structures - there needs to be support. In order for InfoSec to be successful it must have the full support of senior or executive management. This support would be actualized as a sincere commitment by senior management to achieve the following:

  • Develop high standards of corporate governance
  • Treat InfoSec as a critical function that enables an organization to do business
  • Create an environment that understands the importance of, and embraces, InfoSec
  • Consistently show 3rd parties that InfoSec is vital and will always be handled in a professional manner
  • Ensure that controls being implemented by InfoSec are appropriate and proportionate to risk being addressed
  • Stay informed and accept ultimate responsibility and accountability

The first bulleted point in the above list, "Develop high standards of corporate governance", is where the necessary framework is built from which InfoSec can flourish. At a minimum, an effective governance framework includes:

  • An all-inclusive security strategy that links to clearly defined and documented business objectives
  • Security policies that address the multiple facets of security strategy, regulatory compliance and controls
  • Standards for each of the policies to make sure that procedures and guidelines comply with policy
  • An organizational structure void of conflicts of interest with sufficient resources and authority
  • Metrics and monitoring processes to ensure compliance and provide feedback

Again, I want to emphasize that It is imperative that an organization's top management sees InfoSec as a critical business function and is fully committed to stand behind InfoSec. Without the complete assurance from top management we will continue to see security functions getting moved around the organization while adequate resources are never obtained and conflicts of interest are progressively created.

To limit conflicts of interest and actualize the benefits from investing within InfoSec, the Chief Information Security Officer (CISO/ISO) or Information Security Manager (ISM) must report directly to the top of the organizational structure, or an independent branch such as Audit. The trend in the past was to embed central InfoSec within Information Technology (IT), that is, until organizations began realizing that this structure kept InfoSec's hands tied behind their back, significantly reducing InfoSec's overall effectiveness. In other words, organizations were self-limiting their return on investment (ROI) from InfoSec. To resolve this issue and improve the ROI from InfoSec, CISO's/ISO's/ISM's began reporting to the CEO's, CFO's, CTO's and CIO's.


Ok, great, so the ISO should report to the CFO ... then what?

What we want to avoid is a structure with the fragmentation that is commonly seen today. Rather, create a tighter integration of the duties and activities performed by IT Security, Operations, Policy & Compliance, Risk Management and Audit. To anticipate the trends of the future, it’s very likely that individuals and departments taking on central InfoSec duties will also have various risk management responsibilities that extend beyond IT. This can include anything from physical security, business continuity and disaster recovery.


Fact is, too often in industry the security discipline is (mis)directed by technology instead of using a risk analysis and proactive ‘intelligence’ approach. To add to the vicious cycle, when majority of the investment is being put into technology then most of the return comes from there too. This reinforcement perpetuates the destructive spiral.

So, how does a business avoid this technodazed shortsightedness? It comes down to strategy, making the conscious shift to be more strategic. This means moving away from the predictable technology-centric and tactical security operation seen in the industry since the golden days of the dot-gone era. At a high level, for InfoSec to more closely align with and help business achieve its objectives, InfoSec will need to become more focussed on 'intelligence'; gathering information, ability to comprehend, ability to develop policy and plans at a high level, using a methodology of risk analysis and risk mitigation, having the knowledge about an organization's business environment that has implications for its long-term viability and success, thinking long-term, and being both pragmatic and visionary.

Thinking strategically while taking into account anticipation of future trends and using proactive 'intelligence', I believe the wise CISO, or equivalent, who's in a healthy organizational environment needs to start planning for incorporating some of the non-IT specific risk management responsibilities before it's thrust upon them within the next three to five years. There will need to be coordination between IT Security, Operations, Policy & Compliance, Risk Management, Audit and Physical Security.

What this boils down to is that a very effective way to structure InfoSec within an organization involves having the CISO, or equivalent, reporting directly to the senior/executive level of the organization while having their full support, commitment and involvement. This top level commitment includes the development of high standards of corporate governance and actively limiting conflicts of interest so that InfoSec will be effective and provide a high ROI by enabling the organization to do business.



Steve Zenone said...

Another interesting point is that for InfoSec to be successful, it requires budget support. According to Khalid Kark of Forrester, security spending is between 7.5%-8.5% of the total IT budget:

”Other than maybe financial services, we tended to find the percentage of IT spent that went into security was close to 9% consistently. The interesting thing to look at that in 2007 planned spending data that came out of the research was that there was a consistency there - a level of consistency across industries that tended to follow a consistent pattern of about 8% of
IT budgets going into security. That is good news I think for a lot of security managers who had been trying to get the message across to management that: one security is important and two you need to spend a good amount of your IT money in this area so that you’re well protected going forward.”

”The conclusion is that across industries, whether government or retail or telecom the ages are between 7.5% and 8.5% and there’s a convergence of IT spending going into security. This convergence speaks to some maturing that we also see in the overall security market.”


Steve Zenone said...

To note, back in 2001, R. Witty of GartnerG2 (now known as Gartner) wrote an article on strategic planning titled, “A look at the role of the chief information security officer.” Within the article Witty stated:

"The CIO and CISO have conflicting goals. The CIO is responsible for the availability of electronic assets, whereas the CISO is responsible for ensuring their confidentiality and integrity. Therefore, the CISO needs to be independent so as to report to senior management any conflicts between the delivery of technology in rapidly shorter time cycles and the need for controls that interfere with the delivery."

In other words, the GartnerG2 recommendation is that the CISO report to someone other than the CIO. An example would having the CISO report directly to the CEO in a peer relationship with the CIO.