Over the last few years I’ve seen many different types of Security Organizations. Some organizations centralize IT Security, some security shops have a hybrid security organization with some security technology under security other under IT Infrastructure, and some organizations are very light weight and only maintain Information Security strategy. I have only seen once where a CISO was a respected C-Level business member reporting to the CEO, maintained Information Security strategy (Security in plain business terms), AND had direct reports who helped to translate that strategy in the execution of IT Security Operations. I reflect on the event as the one time I saw the Security unicorn. The security strategy worked perfectly, it was aligned with the CEO’s strategy, it could be turned on a dime, and it was operationalized in perfect concert with the CISOs strategy. I thought to myself, this is how security should be managed and this is how all Security shops should be setup. Below is my proposal on how all Security departments should be configured, and next couple points highlight why our time to act is now.
1. Our Security Industry is Evolving.
Over the past couple years we’ve seen the security industry grow a lot. We’re a young profession working our way through the growing pains of helping our business organizations figure out what “Information Security” and “IT Security” (April Blog Post) should be and how to best help the companies and businesses we work for. To add to the growing pains, the Security profession has had to grapple with an increasingly complex threat landscape and as our role becomes more visible the expectations on us are increasing. The issue becomes bigger when Security teams are asked to do more with static headcount and budgets. In 2014, according to ZDNet’s Security Budget Survey 41% of IT Security Departments will see budget increases (which is a 16% positive response increase over 2013); but 2014 IT Budgets overall are increasing and according to Network Worlds IT Budget Survey 65% of IT Departments will see an overall increase and TripWire estimates the IT Department budget average increase to be 4.06%. So, Security budgets are increasing but not at the rate of average IT budgets.
In the Security Budget Round Up for CISO’s, Security Leadership interviewed did note they were hiring but demands for IT Security professionals far outweighs the supply and 31% percent of companies face the supply and demand dilemma. I hear often there’s a gap in the Security talent pool, and I understand that we all want to hire the best talent but we can’t all be the New York Yankees and Boston Red Sox; sometimes you have to be the Oakland Athletics and build your team from a group of people interested in playing the game. Our time to develop our talent is now, and we need to teach them how security should be done so they can carry the legacy forward.
2. Our CISO’s are (finally) being seen as business advisors.
The good news is we’re seeing the rise of the Chief Information Security Officer (CISO) and recent PriceWaterhouseCoopers Information Security Reports suggest things are looking up for Security Organizations, you can download your report here. This is a happy evolution of the CISO because we’ve struggled for so long to find Business Executives versed in Security, and we finally have folks talking about security in terms that CEOs and Boards can relate to.
We’re starting to get the right players in place to successfully lead Security Organization 2.0.
3. We’re burning out our very precious and limited Security Talent.
Unfortunately, I see many CISO’s sacrifice the responsibility of Security by offloading operational IT Security responsibilities to other IT departments so they (the CISO) can focus their time on Information Security. Admittedly, a CISO should be focused on strategy but Accountability with no Responsibility creates a very stressful work environment and it’s why we see high rates of burnout in the Security profession, especially in IT Security staff.
More and more I’m seeing Security operations shouldered by IT Applications and IT Infrastructure teams because the Security department doesn’t have the staff to support enterprise-level Security operations. This often results in IT Departments who are responsible for systems availability are also responsible for security, and sometimes that’s a conflict of interest. Managing Security Technology requires a specific skill set, a crafted attention to detail, and a constant care and feeding. IT Security technology is not a set-it and forget-it technology. We need to centralize IT Security under a CISO and start to develop the core competency.
4. A CIO (Chief Information Officer) or CFO (Chief Financial Officer) would never survive in the Security Paradigm.
What if our CIO’s and CFO’s had to struggle with the same issues that Security deals with–managing a strategy with distributed operations. How effective would these functions be? What if CIO’s just lead a strategy and each business department was responsible for establishing their own technology platforms (it’s called Shadow IT and it’s considered a problem), businesses suffer from wasted time, inconsistent business logic, an inconsistent approach, wasted investment, business inefficiencies, high risk of information sprawl, barriers to enhancement, and organizational dysfunction. It would be a disaster and a waste of resources–we’d be writing about is the CIO job too big for one person. Imagine if our CFOs were in the same position? The balance sheets of our companies would be disorganized and incomplete, we would be sitting ducks to share holder lawsuits because of inaccurate and misleading financial statements, our businesses would struggle to figure out cash flow month over month.
Why should Security be any different?
5. IT Staff aren’t IT Security (or Information) Professionals.
Most IT Security professionals are born out of love for the profession. We’re self taught. There’s no fancy Security MBA (although it might be neat). Some of the best Security professionals I have ever worked with don’t have any fancy certificates or degrees, they are geeks who read everything and are voracious consumers of information. IT Staff such as Network Engineers are focused on network routing, switching, and telecommunications. I’ve never seen a network engineer spend time researching zero-day malware and inserting that signature into an IPS devices to prevent any potential infection, that’s a Security job. I’ve also never seen a DBA research new SQL Injection attacks, or worry about Transparent Data Encryption; DBA’s are focused on schema architecture and performance tuning. Not to say Network Engineers or DBA’s don’t take a periodic interest in Security but their job IS NOT security, it’s service delivery and they are evaluated on the delivery of their service not how secure everything is.
Security technology should be a very coordinated effort–threat and vulnerability management should tie into security device management, which should tie to Security Engineering, which should be tied to Policies and Security Architecture. This coordination usually takes a very focused and dedicated perspective on the security trade.
The Security Organization 2.0 solution.
To summarize this model, the CISO is a peer to other C-Levels and helps to mature Security strategy based on business goals and objectives. The CISO needs to have direct reports who can help translate Business Strategy into IT Security strategy, these individuals also need to backfill the CISO by establishing relationships with business peers. One key point here is that all Information Security AND IT Security Operations report into the CISO. This helps to ensure that a CISO can maintain the integrity of their Security and Compliance architectures, and that integrity of the environment isn’t threated in the name of service availability. As former CISO myself in a distributed Security model, I have been in a very unfortunate situation of hearing that our Security perimeter was sacrificed for something as simple as adding a Web Server to a PCI Network Segment to increase processing capacity. For the all the PCI-guru’s out there you know that these types have to be handled in a very specific way to maintain compliance. However, if my staff had been responsible for firewalls we would have known about the change before hand instead of finding out a couple days later.
This is a great model. Forrester did a great job documenting details of the graphic. For additional details on what each pillar is and does refer back to the Forrester white paper.
To further this one more step, this model could also extend to a Chief Security Officer (CSO) by adding a pillar for Physical Security to develop a converged security model.