First, there's the CSO, who is responsible for implementing the security program and protecting the information assets of the organization. The CSO is the coordination point of the security team. This person is responsible for making sure all corporate security policies are enforced and communicating all program results to senior management. The CSO tends to report to the CIO, though in some cases (especially in finance) they report to the CFO or even a chief risk officer (CRO).
At the next level down, I've identified four separate job functions. The first is "infrastructure security." The director of infrastructure security must ensure the security of the plumbing, i.e. networks, data centers and endpoints. This role may or may not control the resources that perform the work -- network security may report into the network group, and data center security may be in the operations group. Regardless of where the work gets done, infrastructure security management needs to coordinate all the resources.
Second is "information/data security." This person is responsible for all content and applications that run the business. Securing data is distinctly separate from securing the infrastructure and should be treated as such. Again, this director will act as a coordination point, working closely with the application development teams to ensure new systems are secure before they go live.
Third is "security assurance." This role serves as a designated tester, making sure the CSO isn't caught off guard. The security assurance coordinator constantly pokes and prods at business systems and networks, making sure there are no easy exploits that can compromise the organization. They're responsible for working with the appropriate resources to fix issues they find. The security assurance director should have the authority to administer internal social engineering to prepare for attacks. If a new attack vector is identified in a penetration test, the assurance group is not doing its job.
Finally, there is the "security architect," who verifies that the appropriate security layers are in place to protect the environment. This person needs to understand how everything fits together, and be able to ensure that all implemented controls are complimentary and do not cancel each other out.
Again, I've seen few organizations structured like this, but they should be.
For more information:
This was first published in June 2007