As cybersecurity becomes ever more important, organizations are increasingly trying to determine how to best organize...
their cybersecurity teams. They want to be sure that their teams are managing and performing the right functions, and that the teams' staff is being effectively and efficiently used.
There is no one size fits all method for organizing a cybersecurity team. Each organization must have a team that's appropriate for its particular culture and priorities. However, there are some core principles that all organizations should consider when organizing their cybersecurity team.
Senior management support of the cybersecurity team is critical. Ensure that your organization's cybersecurity team has a formal, documented charter that is annually approved by senior management.
The charter should describe the primary responsibilities and objectives of the team, how it will make decisions and its typical deliverables. A charter provides clarity for team members and shows the rest of the organization that the team is supported by senior management.
An organization's cybersecurity team needs to manage and perform the right functions. So what's the best way to determine those functions?
Carnegie Mellon University's well-respected Software Engineering Institute has created a framework that proposes structuring a cybersecurity team around four key functions.
- Protect, shield, defend and prevent: Proactively protect, shield and defend an organization from cyber threats and prevent cybersecurity incidents.
- Monitor, detect and hunt: Monitor ongoing operations and actively hunt for and detect adversaries.
- Respond, recover and sustain: Minimize the impact of cybersecurity incidents and return assets to normal operations as quickly as possible.
- Govern, manage, comply, educate and manage risk: Provide oversight, management, performance measurement and improvement for all the cybersecurity activities. Ensure compliance with all the external and internal requirements and appropriately mitigate risk.
This ambitious framework sounds great in theory, but is likely only realistic at larger organizations that have mature cybersecurity practices.
A framework that is based on an approach developed by security expert Mike Rothman is likely more realistic and pragmatic for many organizations. In this framework, an organization's cybersecurity team has an individual (e.g., a CSO) who has overall responsibility for implementing an organization's cybersecurity program, and who is the team's coordination point. This person is responsible for ensuring compliance with security policies and communicating cybersecurity program results to senior management. At a minimum, the following four separate functions should report to the CSO:
- Infrastructure security: Responsible for ensuring the security of the organization's technical infrastructure (e.g., servers, networks). This person or team may or may not directly control the staff that performs the work (e.g., firewall administrators may report to a network team), but, regardless of who performs the work, infrastructure security should coordinate all the appropriate staff to ensure the work is done correctly and promptly.
- Data security: Responsible for ensuring the security of the organization's data and applications. As with infrastructure security, this person or team may or may not control the staff that performs the work; data security needs to coordinate all the appropriate staff. In particular, this person or team must work closely with application developers to ensure new applications are secure before they are put into production.
- Security testing: Responsible for regularly testing an organization's security controls (e.g., penetration tests, vulnerability assessments). This person or team is responsible for working with the appropriate staff to mitigate all the discovered significant vulnerabilities.
- Security architecture: Responsible for verifying that the appropriate security controls are in place to protect an organization's sensitive data and information systems. From a big picture perspective, this person or team focuses on ensuring that all the security controls are complementary.
There should also be a cybersecurity advisory group, composed of senior executives, that is responsible for advising the CSO about the organization's risk tolerance and ensuring that key cybersecurity program objectives are met.
Organizations should map their current cybersecurity staff to the above framework and identify where they have full, partial or no staff. For areas with partial or no staff, determine if the skills exist elsewhere in the organization (e.g., a developer with cybersecurity skills could move to the data security team) or consider outsourcing options.
Continuous improvement cycle
An organization's cybersecurity team should have a continuous improvement cycle. It's not enough to just set up a cybersecurity team; the team needs to regularly adjust and improve to meet your organization's needs. Your organization's cybersecurity team should be based on the following continuous improvement principles:
- Plan and organize: Perform a risk assessment, develop security architectures and obtain management approval.
- Implement: Develop and implement security policies, standards and procedures. Implement cybersecurity programs (e.g., change control, identity management) to comply with security policies. Implement auditing and monitoring for each program. Establish goals and metrics for each program.
- Operate and maintain: Follow cybersecurity program procedures and tasks. Perform internal and external audits. As appropriate, manage program service-level agreements.
- Monitor and evaluate: Review logs and audit results and metrics for each program. Assess the accomplishment of program goals. Use a maturity model such as COBIT to regularly define process maturity levels and to identify areas where improvement is needed. Develop improvement steps and integrate them into the plan and organize phases.
Your cybersecurity team is a key part of your organization. Follow the above recommendations to help ensure that your organization has a cybersecurity team that is managing and performing the right functions and appropriately protecting your organization.
Learn how to foster cooperation between system admins and the security team
Discover how to develop a strategic security plan for enterprises
Check out some ways to handle a problematic cybersecurity expert on your team