Problem solve Get help with specific problems with your technologies, process and projects.

What is the best organizational model for an IT security staff?

In this Q&A, security management expert Mike Rothman unveils the essential policies, procedures and job functions that contribute to the successful functionality of an IT security staff.

I am researching the best way to organize an IT security team. What would you consider to be the best organizational...

structure for an IT security staff?

This is a pretty timely question, considering I'm in the process of researching how security organizations must evolve to stay updated on attacks and threats that affect organizational models. Though I believe the organization model that I'm developing is a bit early relative to what I'm seeing in the field, I think it represents a realistic goal for many organizations.

First, there's the CSO, who is responsible for implementing the security program and protecting the information assets of the organization. The CSO is the coordination point of the security team. This person is responsible for making sure all corporate security policies are enforced and communicating all program results to senior management. The CSO tends to report to the CIO, though in some cases (especially in finance) they report to the CFO or even a chief risk officer (CRO).

At the next level down, I've identified four separate job functions. The first is "infrastructure security." The director of infrastructure security must ensure the security of the plumbing, i.e. networks, data centers and endpoints. This role may or may not control the resources that perform the work -- network security may report into the network group, and data center security may be in the operations group. Regardless of where the work gets done, infrastructure security management needs to coordinate all the resources.

Second is "information/data security." This person is responsible for all content and applications that run the business. Securing data is distinctly separate from securing the infrastructure and should be treated as such. Again, this director will act as a coordination point, working closely with the application development teams to ensure new systems are secure before they go live.

Third is "security assurance." This role serves as a designated tester, making sure the CSO isn't caught off guard. The security assurance coordinator constantly pokes and prods at business systems and networks, making sure there are no easy exploits that can compromise the organization. They're responsible for working with the appropriate resources to fix issues they find. The security assurance director should have the authority to administer internal social engineering to prepare for attacks. If a new attack vector is identified in a penetration test, the assurance group is not doing its job.

Finally, there is the "security architect," who verifies that the appropriate security layers are in place to protect the environment. This person needs to understand how everything fits together, and be able to ensure that all implemented controls are complimentary and do not cancel each other out.

Again, I've seen few organizations structured like this, but they should be.

For more information:

  • In this Q&A, security management expert Mike Rothman describes how protecting data and systems is a collaborative effort.
  • Contributor Shon Harris examines why enterprise network managers and IT security staff members should not share tasks.
This was last published in June 2007

Dig Deeper on Information security program management