The Security Program Core Structure

A high-performing security organization is not just names on boxes or a set of software. It is relationships between those boxes, the caliber of talent filling the boxes, the processes that incorporate the technology and essential activities that are not just aimed at keeping the lights on.

When I’m asked, “How should I structure my security organization?” I will likely draw the model below. There are four simple rectangles for the four core security domains, with connections and associations with other IT communities.

Each of the domains has its own goals, partners and processes:

• A security policy management program liaises with legal, internal audit, HR and the project management office (PMO) to set strategic security direction, policies, standards and processes.
• The network, intrusion and event security program meets the needs of IT operations and internal audit teams by ensuring the borders are sealed and security events are swiftly reported and managed.
• An identity and access management program meets the needs of enterprise architecture, internal audit, business owners and HR by ensuring users are managed properly and access is enforced appropriately for each enterprise resource.
• The security operations program works with IT operations to implement changes, ensure availability of the service and run the security solutions.

Security Primary Program Roles

Each of these programs has a program leader and program engineer(s). Each role can have brilliant and profound impacts, but the two are rarely the same person.

• A program leader sees, acts on and often defines the vision. He or she has political capital and can easily navigate the organization, communicate with executives, build trust and, most importantly, lead from the front.
• A program engineer is driven by that vision toward creative solutions — technical, process, social, etc. Engineers are efficient, technically intelligent, collaborative and results-driven, but they don’t get buried by details. They may touch the keyboard, but mostly to prove their ideas.

There are other roles that are essential to the success of each program, but those are more generalist and can be staffed as shared services, as we’ll see in a moment.

I have worked with dozens of Fortune 1000-sized clients. I have seen a number of failed solution deployments, major program delays and huge capital expenditures with minimal value delivered. In nearly every case, a contributing factor to these failures is lack of involvement and leadership by the program leader. Blame is often spread widely, but strong leaders can overcome obstacles that others use to heap on blame. Security program leaders fail when they abstract themselves from the details, try to be too much of an executive and don’t give direction grounded in an understanding of the situation.

Shared Services

Are there other ways to successfully distribute responsibility? Yes. Is the 4×4 security organization model the perfect structure for every company? No. Does this work for crisis-driven events? Maybe.

There is no one-size-fits-all solution, and a hierarchical structure was proven ineffective by management experts as early as the 1950s. Furthermore, it’s clear from our experience that it’s not always possible to have dedicated business analysts or project managers within the security organization or each security program. So by blending the hierarchy, matrix and shared service models, it’s possible to do a lot with a small team.

This is where shared services team members create a matrix structure and bring essential organizational diversity to the security programs. Each of the roles is an important liaison to other parts of the organization.

The roles connect to many other aspects of the business and its partners:

• Business analysts are the primary liaison to the lines of business.
• Project managers utilize PMO and SDLC standards to lead successful projects within the program road map.
• Security operations implements the solutions and are key actors in many security processes.
• Security vendors provide external input and subject matter expertise not available within the organization.

The Big Picture

Now that we’ve defined the programs and essential roles, we have a collective view of the holistic 4×4 security organization, with four primary programs and four mechanisms to engage with the business.

In subsequent articles, we will discuss the essential security program activities, management tools and success factors.