295
C
Organizational Security Management
C.1 Organizational Security Management
The exact needs for a security organization can vary widely. Small organiza-
tions with little to no presence on the Internet may not require an organiza-
tion at all, getting by with a knowledgeable systems administrator and
decent HR policies. However, the vast majority of business entities today
falls outside that category and needs to have a team of dedicated, well-
trained security professionals in the organization. What should the compo-
sition of such a team look like? Who should they report to? What are their
roles and responsibilities? In the next several sections, we will try to answer
all of these questions.
C.1.1 Perceptions of Security
“Those security guys are holding up development team progress. We need to for-
get their recommendations and get this product out the door.”
Sound familiar? It is not easy to be the voice of dissent when hype is thrown
at you during a meeting. However, many companies have learned the hard
way, sometimes at extraordinary cost, that it is far cheaper to take security
precautions early on in a development process rather than deal with the
issues caused by ignoring them completely. From an individual perspective,
some people feel the use of security tools on their equipment is an invasion
of privacy. For others, the security team members are lifesavers, coming to
the rescue every time they are called. They are the white-hatted rangers of
cyberspace, saving the day whenever a distress signal is heard. It all depends
on who is asking and what they are asking about. Perception is transient.
Advocating strong security measures, in the form of policies and adequate
enforcement of such, should remain persistent.
296 C.1 Organizational Security Management
C.1.2 Placement of a Security Group in the Organization
Where does security fit in an organization? Does it belong to the CIO, or
should it report to the CEO directly? Should there be a centralized func-
tion, or should security be distributed across the organization? These are
difficult questions to answer. Much of the data needed to answer these types
of questions needs to come from an introspective look at the organization
itself. It is necessary to determine what level of management attention the
security team should have. That should help with the reporting structure. If
security is a big issue, for whatever internal reason, then perhaps the CEO
will want to keep it reporting directly to him or her. In very large organiza-
tions, it may be distributed in a regional model, with each regional security
management leader reporting to a regional business leader or president.
Our recommendation, of course, is to place the security organization high
enough up the corporate ladder to enable it to effect positive change. It
must operate with a high degree of autonomy and it must be led by some-
one who is respected by the management team as an effective role model
with a high degree of integrity. Once a company comes to terms with
whom the security team should report to, the next issue is to figure out
what it should look like.
C.1.3 Security Organizational Structure
Before putting a security organization in place, there are a couple of con-
siderations that must be addressed. First, is security something that will
likely be a public or private issue for your organization most of the time?
If the vast majority of security issues in your organization are never raised
to the public, then your security team is likely also going to be a low-pro-
file operation. However, for most companies, this is not the case. Any
publicly traded company is more likely to fit in the high-profile, rather
than the low-profile, category. If that is the case, then the security team
should be structured to respond to issues that could increase exposure to
risk, and they should be able to contain that risk in such a manner that all
legal requirements are met and the public at large can feel satisfied that
the management team is adequately protecting the assets with which they
have been entrusted.
Structural issues now must include the basic elements of security, such as
incident response, policy development, forensics, training and awareness,
perimeter security measures, intrusion detection, secure remote access, and
so on. There are many, many distinct areas that have to be addressed in a
security plan. How the organization is structured is also a reflection of what
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
