November 3, 2015 By Brett Valentine 3 min read

The Security Program Core Structure

A high-performing security organization is not just names on boxes or a set of software. It is relationships between those boxes, the caliber of talent filling the boxes, the processes that incorporate the technology and essential activities that are not just aimed at keeping the lights on.

When I’m asked, “How should I structure my security organization?” I will likely draw the model below. There are four simple rectangles for the four core security domains, with connections and associations with other IT communities.

Each of the domains has its own goals, partners and processes:

  • A security policy management program liaises with legal, internal audit, HR and the project management office (PMO) to set strategic security direction, policies, standards and processes.
  • The network, intrusion and event security program meets the needs of IT operations and internal audit teams by ensuring the borders are sealed and security events are swiftly reported and managed.
  • An identity and access management program meets the needs of enterprise architecture, internal audit, business owners and HR by ensuring users are managed properly and access is enforced appropriately for each enterprise resource.
  • The security operations program works with IT operations to implement changes, ensure availability of the service and run the security solutions.

Security Primary Program Roles

Each of these programs has a program leader and program engineer(s). Each role can have brilliant and profound impacts, but the two are rarely the same person.

  • A program leader sees, acts on and often defines the vision. He or she has political capital and can easily navigate the organization, communicate with executives, build trust and, most importantly, lead from the front.
  • A program engineer is driven by that vision toward creative solutions — technical, process, social, etc. Engineers are efficient, technically intelligent, collaborative and results-driven, but they don’t get buried by details. They may touch the keyboard, but mostly to prove their ideas.

There are other roles that are essential to the success of each program, but those are more generalist and can be staffed as shared services, as we’ll see in a moment.

I have worked with dozens of Fortune 1000-sized clients. I have seen a number of failed solution deployments, major program delays and huge capital expenditures with minimal value delivered. In nearly every case, a contributing factor to these failures is lack of involvement and leadership by the program leader. Blame is often spread widely, but strong leaders can overcome obstacles that others use to heap on blame. Security program leaders fail when they abstract themselves from the details, try to be too much of an executive and don’t give direction grounded in an understanding of the situation.

Shared Services

Are there other ways to successfully distribute responsibility? Yes. Is the 4×4 security organization model the perfect structure for every company? No. Does this work for crisis-driven events? Maybe.

There is no one-size-fits-all solution, and a hierarchical structure was proven ineffective by management experts as early as the 1950s. Furthermore, it’s clear from our experience that it’s not always possible to have dedicated business analysts or project managers within the security organization or each security program. So by blending the hierarchy, matrix and shared service models, it’s possible to do a lot with a small team.

This is where shared services team members create a matrix structure and bring essential organizational diversity to the security programs. Each of the roles is an important liaison to other parts of the organization.

The roles connect to many other aspects of the business and its partners:

  • Business analysts are the primary liaison to the lines of business.
  • Project managers utilize PMO and SDLC standards to lead successful projects within the program road map.
  • Security operations implements the solutions and are key actors in many security processes.
  • Security vendors provide external input and subject matter expertise not available within the organization.

The Big Picture

Now that we’ve defined the programs and essential roles, we have a collective view of the holistic 4×4 security organization, with four primary programs and four mechanisms to engage with the business.

In subsequent articles, we will discuss the essential security program activities, management tools and success factors.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today