I've recently been asking myself how to most effectively structure Information Security (InfoSec) within an organization. Here are some thoughts I've had while trying to answer this.
As with any "structure" there needs to be some form of integral support, whether it's a frame for a house or honeycomb for a beehive. This is also true with organizational structures - there needs to be support. In order for InfoSec to be successful it must have the full support of senior or executive management. This support would be actualized as a sincere commitment by senior management to achieve the following:
- Develop high standards of corporate governance
- Treat InfoSec as a critical function that enables an organization to do business
- Create an environment that understands the importance of, and embraces, InfoSec
- Consistently show 3rd parties that InfoSec is vital and will always be handled in a professional manner
- Ensure that controls being implemented by InfoSec are appropriate and proportionate to risk being addressed
- Stay informed and accept ultimate responsibility and accountability
The first bulleted point in the above list, "Develop high standards of corporate governance", is where the necessary framework is built from which InfoSec can flourish. At a minimum, an effective governance framework includes:
- An all-inclusive security strategy that links to clearly defined and documented business objectives
- Security policies that address the multiple facets of security strategy, regulatory compliance and controls
- Standards for each of the policies to make sure that procedures and guidelines comply with policy
- An organizational structure void of conflicts of interest with sufficient resources and authority
- Metrics and monitoring processes to ensure compliance and provide feedback
Again, I want to emphasize that It is imperative that an organization's top management sees InfoSec as a critical business function and is fully committed to stand behind InfoSec. Without the complete assurance from top management we will continue to see security functions getting moved around the organization while adequate resources are never obtained and conflicts of interest are progressively created.
To limit conflicts of interest and actualize the benefits from investing within InfoSec, the Chief Information Security Officer (CISO/ISO) or Information Security Manager (ISM) must report directly to the top of the organizational structure, or an independent branch such as Audit. The trend in the past was to embed central InfoSec within Information Technology (IT), that is, until organizations began realizing that this structure kept InfoSec's hands tied behind their back, significantly reducing InfoSec's overall effectiveness. In other words, organizations were self-limiting their return on investment (ROI) from InfoSec. To resolve this issue and improve the ROI from InfoSec, CISO's/ISO's/ISM's began reporting to the CEO's, CFO's, CTO's and CIO's.
Ok, great, so the ISO should report to the CFO ... then what?
What we want to avoid is a structure with the fragmentation that is commonly seen today. Rather, create a tighter integration of the duties and activities performed by IT Security, Operations, Policy & Compliance, Risk Management and Audit. To anticipate the trends of the future, it’s very likely that individuals and departments taking on central InfoSec duties will also have various risk management responsibilities that extend beyond IT. This can include anything from physical security, business continuity and disaster recovery.
Fact is, too often in industry the security discipline is (mis)directed by technology instead of using a risk analysis and proactive ‘intelligence’ approach. To add to the vicious cycle, when majority of the investment is being put into technology then most of the return comes from there too. This reinforcement perpetuates the destructive spiral.
So, how does a business avoid this technodazed shortsightedness? It comes down to strategy, making the conscious shift to be more strategic. This means moving away from the predictable technology-centric and tactical security operation seen in the industry since the golden days of the dot-gone era. At a high level, for InfoSec to more closely align with and help business achieve its objectives, InfoSec will need to become more focussed on 'intelligence'; gathering information, ability to comprehend, ability to develop policy and plans at a high level, using a methodology of risk analysis and risk mitigation, having the knowledge about an organization's business environment that has implications for its long-term viability and success, thinking long-term, and being both pragmatic and visionary.
Thinking strategically while taking into account anticipation of future trends and using proactive 'intelligence', I believe the wise CISO, or equivalent, who's in a healthy organizational environment needs to start planning for incorporating some of the non-IT specific risk management responsibilities before it's thrust upon them within the next three to five years. There will need to be coordination between IT Security, Operations, Policy & Compliance, Risk Management, Audit and Physical Security.
What this boils down to is that a very effective way to structure InfoSec within an organization involves having the CISO, or equivalent, reporting directly to the senior/executive level of the organization while having their full support, commitment and involvement. This top level commitment includes the development of high standards of corporate governance and actively limiting conflicts of interest so that InfoSec will be effective and provide a high ROI by enabling the organization to do business.