Your Organizational Chart Tells a Security Story

Tuesday, August 28, 2012

Tripwire Inc


Article by Shawna Turner-Rice

Talking to other practitioners, there are some common organizational challenges that everyone has lived through.

One of those is the unintended consequences of poor organizational alignment for the security folk.

While I previously talked about how to plan for good alignment; today I want to focus on some common mistakes and their potential consequences.

Mistake #1 – Marginalizing the security team(s). Even if a lot of the security people don’t spend their day to day life working with and influencing the business (although that might be a problem in itself); in order to have a culture of security, the team must be able to at least talk to those who influence that culture.

Why does it happen and what is the consequence? The common reason to push the security team over to the side (or down) the org chart is due to a belief that what they do isn’t a core value proposition for the company.  Although some managers think that org structures don’t matter, other people still infer what you value by where you place teams / people.

They go on to infer that if the security team is not represented at a leadership level; and is not empowered the same as your primary product team, that it’s not a priority. By reinforcing the idea that security is a low value and low priority it can create impediments for the business and the security team to negotiate risk and work collaboratively.

Mistake #2 – Having the security team report to executives who don’t believe in security value. Security people do need to learn to speak the language of business. This gap doesn’t get addressed by simply making them report to someone who doesn’t personally value security, regardless of title.

In a situation where there is a CFO and a CIO; and you’re evaluating who the security resources should report to, understanding which will take an interest in the topic is a great step. People who are interested in the topic will find it much easier to strike a conversation and create common ground.

Why does it happen and what is the consequence? This is often an attempt to be sensitive to someone’s needs. It may be that the executive who values security is overloaded. Or that organizationally there’s one person who’s really going to be the gate for initiatives, so the hope is that by thing security to the gate thing will go better. The consequence is that if the executive doesn’t value the work of the team, everybody is unhappy.

The executive doesn’t want to waste time dealing with something they don’t see value in; and the team doesn’t feel valued and that can lead to not just poor security, but business costs related to attrition and low morale – in the short term. In the long term, that configuration will probably result in a culture of cynicism; which can be hard to change.

Mistake #3 – Thinking Security is just another word for Information Systems or Technology. Security when done well, is part of the fabric of an organization, and encompasses non-technical things. For example, every time an employee identifies that someone shouldn’t be following them through the door, or that another person in the org would never have sent an email with that content, that’s security, divorced from IS or IT.

Another example is staff restraining from sending critical data to personal mobiles or via email. While there are technological solutions to help manage the attack surface, it’s a lot more effective if people never do these things in the first place. IS and IT can talk technology, but as a department they are not charged with creating a culture of security.

Why does it happen and what is the consequence? This particular mistake often happens because security sounds technical; and IS / IT is technical; and they are often worried about the same assets, so we should just roll them together. The consequences of this are more insidious. Traditional IS or IT measurements involve things like uptime, quality of service, ease of access.

Security can be in conflict with those goals. For example, if uptime is the single most important measurement for an IS / IT shop; and Operating System patches require reboots, what wins? The team can usually optimize for one of the two goals.

In addition, the best security seems to come from negotiation, and when security is locked down in one department with other primary goals, the opportunity to do the creative work that can lead to the most effective security is hard to come by.

To evaluate where you are today, print out your org chart with the security resources highlighted. Pretend you are a new hire (or find a friend who doesn’t work for your organization). Identify what story your security resource location tells. Is security a priority? Why type of security and who are they partnered with?

From there, you can drive insightful questions about what the goals of your security resources are and if / how their current organizational alignment helps or hinders those goals.

What mistakes have you seen? How did you address them? I’d love to hear!

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Enterprise Security
Information Security
Policy Enterprise Security Management Risk Management Best Practices Leadership Information Security Collaboration IT Security
Post Rating I Like this!
Lisa Simpson You left out one HUGE mistake that a lot of companies make... Namely, giving the IT team and the Security team the same reporting chain. What I've seen is IT teams who run roughshod over security teams because they have deadlines to meet and "besides we can deal with security later". This largely happens because the IT managers feel pressured to perform and to deliver working products.

Our CISSP group has had a long running discussion on LinkedIn about where - in the org chart - the security team should live.

Choice #1 is CSO - C-level security officer.

Choice #2 is tied between CEO, COO, and CIO. There are pros and cons for each.

One thing that did come out of all the discussion is that CFO is not desirable as many of times it's not always easy to quantify ROI or savings with security. Another big thing from the discussion is consensus that the security team should report as near the top of the org chart as possible with C-level being much preferred. I don't think that anyone mentioned a VP or Director-level position as desirable.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.