The Security Program Core Structure

A high-performing security organization is not just names on boxes or a set of software. It is relationships between those boxes, the caliber of talent filling the boxes, the processes that incorporate the technology and essential activities that are not just aimed at keeping the lights on.

When I’m asked, “How should I structure my security organization?” I will likely draw the model below. There are four simple rectangles for the four core security domains, with connections and associations with other IT communities.

Each of the domains has its own goals, partners and processes:

  • A security policy management program liaises with legal, internal audit, HR and the project management office (PMO) to set strategic security direction, policies, standards and processes.
  • The network, intrusion and event security program meets the needs of IT operations and internal audit teams by ensuring the borders are sealed and security events are swiftly reported and managed.
  • An identity and access management program meets the needs of enterprise architecture, internal audit, business owners and HR by ensuring users are managed properly and access is enforced appropriately for each enterprise resource.
  • The security operations program works with IT operations to implement changes, ensure availability of the service and run the security solutions.

Security Primary Program Roles

Each of these programs has a program leader and program engineer(s). Each role can have brilliant and profound impacts, but the two are rarely the same person.

  • A program leader sees, acts on and often defines the vision. He or she has political capital and can easily navigate the organization, communicate with executives, build trust and, most importantly, lead from the front.
  • A program engineer is driven by that vision toward creative solutions — technical, process, social, etc. Engineers are efficient, technically intelligent, collaborative and results-driven, but they don’t get buried by details. They may touch the keyboard, but mostly to prove their ideas.

There are other roles that are essential to the success of each program, but those are more generalist and can be staffed as shared services, as we’ll see in a moment.

I have worked with dozens of Fortune 1000-sized clients. I have seen a number of failed solution deployments, major program delays and huge capital expenditures with minimal value delivered. In nearly every case, a contributing factor to these failures is lack of involvement and leadership by the program leader. Blame is often spread widely, but strong leaders can overcome obstacles that others use to heap on blame. Security program leaders fail when they abstract themselves from the details, try to be too much of an executive and don’t give direction grounded in an understanding of the situation.

Shared Services

Are there other ways to successfully distribute responsibility? Yes. Is the 4×4 security organization model the perfect structure for every company? No. Does this work for crisis-driven events? Maybe.

There is no one-size-fits-all solution, and a hierarchical structure was proven ineffective by management experts as early as the 1950s. Furthermore, it’s clear from our experience that it’s not always possible to have dedicated business analysts or project managers within the security organization or each security program. So by blending the hierarchy, matrix and shared service models, it’s possible to do a lot with a small team.

This is where shared services team members create a matrix structure and bring essential organizational diversity to the security programs. Each of the roles is an important liaison to other parts of the organization.

The roles connect to many other aspects of the business and its partners:

  • Business analysts are the primary liaison to the lines of business.
  • Project managers utilize PMO and SDLC standards to lead successful projects within the program road map.
  • Security operations implements the solutions and are key actors in many security processes.
  • Security vendors provide external input and subject matter expertise not available within the organization.

The Big Picture

Now that we’ve defined the programs and essential roles, we have a collective view of the holistic 4×4 security organization, with four primary programs and four mechanisms to engage with the business.

In subsequent articles, we will discuss the essential security program activities, management tools and success factors.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read