296 C.1 Organizational Security Management
C.1.2 Placement of a Security Group in the Organization
Where does security fit in an organization? Does it belong to the CIO, or
should it report to the CEO directly? Should there be a centralized func-
tion, or should security be distributed across the organization? These are
difficult questions to answer. Much of the data needed to answer these types
of questions needs to come from an introspective look at the organization
itself. It is necessary to determine what level of management attention the
security team should have. That should help with the reporting structure. If
security is a big issue, for whatever internal reason, then perhaps the CEO
will want to keep it reporting directly to him or her. In very large organiza-
tions, it may be distributed in a regional model, with each regional security
management leader reporting to a regional business leader or president.
Our recommendation, of course, is to place the security organization high
enough up the corporate ladder to enable it to effect positive change. It
must operate with a high degree of autonomy and it must be led by some-
one who is respected by the management team as an effective role model
with a high degree of integrity. Once a company comes to terms with
whom the security team should report to, the next issue is to figure out
what it should look like.
C.1.3 Security Organizational Structure
Before putting a security organization in place, there are a couple of con-
siderations that must be addressed. First, is security something that will
likely be a public or private issue for your organization most of the time?
If the vast majority of security issues in your organization are never raised
to the public, then your security team is likely also going to be a low-pro-
file operation. However, for most companies, this is not the case. Any
publicly traded company is more likely to fit in the high-profile, rather
than the low-profile, category. If that is the case, then the security team
should be structured to respond to issues that could increase exposure to
risk, and they should be able to contain that risk in such a manner that all
legal requirements are met and the public at large can feel satisfied that
the management team is adequately protecting the assets with which they
have been entrusted.
Structural issues now must include the basic elements of security, such as
incident response, policy development, forensics, training and awareness,
perimeter security measures, intrusion detection, secure remote access, and
so on. There are many, many distinct areas that have to be addressed in a
security plan. How the organization is structured is also a reflection of what