November 3, 2015 By Brett Valentine 3 min read

The Security Program Core Structure

A high-performing security organization is not just names on boxes or a set of software. It is relationships between those boxes, the caliber of talent filling the boxes, the processes that incorporate the technology and essential activities that are not just aimed at keeping the lights on.

When I’m asked, “How should I structure my security organization?” I will likely draw the model below. There are four simple rectangles for the four core security domains, with connections and associations with other IT communities.

Each of the domains has its own goals, partners and processes:

  • A security policy management program liaises with legal, internal audit, HR and the project management office (PMO) to set strategic security direction, policies, standards and processes.
  • The network, intrusion and event security program meets the needs of IT operations and internal audit teams by ensuring the borders are sealed and security events are swiftly reported and managed.
  • An identity and access management program meets the needs of enterprise architecture, internal audit, business owners and HR by ensuring users are managed properly and access is enforced appropriately for each enterprise resource.
  • The security operations program works with IT operations to implement changes, ensure availability of the service and run the security solutions.

Security Primary Program Roles

Each of these programs has a program leader and program engineer(s). Each role can have brilliant and profound impacts, but the two are rarely the same person.

  • A program leader sees, acts on and often defines the vision. He or she has political capital and can easily navigate the organization, communicate with executives, build trust and, most importantly, lead from the front.
  • A program engineer is driven by that vision toward creative solutions — technical, process, social, etc. Engineers are efficient, technically intelligent, collaborative and results-driven, but they don’t get buried by details. They may touch the keyboard, but mostly to prove their ideas.

There are other roles that are essential to the success of each program, but those are more generalist and can be staffed as shared services, as we’ll see in a moment.

I have worked with dozens of Fortune 1000-sized clients. I have seen a number of failed solution deployments, major program delays and huge capital expenditures with minimal value delivered. In nearly every case, a contributing factor to these failures is lack of involvement and leadership by the program leader. Blame is often spread widely, but strong leaders can overcome obstacles that others use to heap on blame. Security program leaders fail when they abstract themselves from the details, try to be too much of an executive and don’t give direction grounded in an understanding of the situation.

Shared Services

Are there other ways to successfully distribute responsibility? Yes. Is the 4×4 security organization model the perfect structure for every company? No. Does this work for crisis-driven events? Maybe.

There is no one-size-fits-all solution, and a hierarchical structure was proven ineffective by management experts as early as the 1950s. Furthermore, it’s clear from our experience that it’s not always possible to have dedicated business analysts or project managers within the security organization or each security program. So by blending the hierarchy, matrix and shared service models, it’s possible to do a lot with a small team.

This is where shared services team members create a matrix structure and bring essential organizational diversity to the security programs. Each of the roles is an important liaison to other parts of the organization.

The roles connect to many other aspects of the business and its partners:

  • Business analysts are the primary liaison to the lines of business.
  • Project managers utilize PMO and SDLC standards to lead successful projects within the program road map.
  • Security operations implements the solutions and are key actors in many security processes.
  • Security vendors provide external input and subject matter expertise not available within the organization.

The Big Picture

Now that we’ve defined the programs and essential roles, we have a collective view of the holistic 4×4 security organization, with four primary programs and four mechanisms to engage with the business.

In subsequent articles, we will discuss the essential security program activities, management tools and success factors.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today