I am researching the best way to organize an IT security team. What would you consider to be the best organizational
structure for an IT security staff?
This is a pretty timely question, considering I'm in the process of researching how security organizations must evolve to stay updated on attacks and threats that affect organizational models. Though I believe the organization model that I'm developing is a bit early relative to what I'm seeing in the field, I think it represents a realistic goal for many organizations.
First, there's the CSO, who is responsible for implementing the security program and protecting the information assets of the organization. The CSO is the coordination point of the security team. This person is responsible for making sure all corporate security policies are enforced and communicating all program results to senior management. The CSO tends to report to the CIO, though in some cases (especially in finance) they report to the CFO or even a chief risk officer (CRO).
At the next level down, I've identified four separate job functions. The first is "infrastructure security." The director of infrastructure security must ensure the security of the plumbing, i.e. networks, data centers and endpoints. This role may or may not control the resources that perform the work -- network security may report into the network group, and data center security may be in the operations group. Regardless of where the work gets done, infrastructure security management needs to coordinate all the resources.
Second is "information/data security." This person is responsible for all content and applications that run the business. Securing data is distinctly separate from securing the infrastructure and should be treated as such. Again, this director will act as a coordination point, working closely with the application development teams to ensure new systems are secure before they go live.
Third is "security assurance." This role serves as a designated tester, making sure the CSO isn't caught off guard. The security assurance coordinator constantly pokes and prods at business systems and networks, making sure there are no easy exploits that can compromise the organization. They're responsible for working with the appropriate resources to fix issues they find. The security assurance director should have the authority to administer internal social engineering to prepare for attacks. If a new attack vector is identified in a penetration test, the assurance group is not doing its job.
Finally, there is the "security architect," who verifies that the appropriate security layers are in place to protect the environment. This person needs to understand how everything fits together, and be able to ensure that all implemented controls are complimentary and do not cancel each other out.
Again, I've seen few organizations structured like this, but they should be.
For more information:
Dig deeper on Business Management: Security Support and Executive Communications
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.