Org Structure and Information Securityby: Jeff Bamberger, Senior Information Assurance Analyst

If you are a member of your organization’s executive team, then you are likely well-versed with various information security responsibilities, either by choice or by regulation. If your organization is in the private sector, then within this suite of responsibility likely falls choosing a framework with which you seek to align your information security program. One such framework may be the National Institute of Standards and Technology’s (NIST) Special Publication 800-53. NIST 800-53 is just one of many standards and guidelines published by NIST to assist federal agencies in implementing the Federal Information Security Act of 2002 (FISMA). As a private sector organization, you have the freedom of choice.

There is plenty of evidence throughout the private sector indicating that organizations prefer to align their information security programs with the controls in NIST 800-53. While this increases the likelihood that businesses operate in a controlled manner with a focus on the confidentiality, integrity, and availability of data, it also presents challenges to the executive team. Will your organization have a structure that allows for efficient and effective implementation of controls? Will your organization be configured in such a way to support desired risk management and security efforts?

IT Compliance Services

Management Information Security Reporting Structure

How your Information Security team’s reporting chain is configured can have an effect on your information security efforts. In many organizations, there is a Chief Information Security Officer (CISO) who may be responsible for establishing and maintaining the organization’s vision, strategy, and protecting the organization’s assets, including data and technology. The CISO often reports to the Chief Information Officer (CIO) who may have as a primary responsibility the development of the information security program. This structure is often not recommended as it can complicate separation of duties.

In addition, not every organization is the same and structure can vary widely from industry to industry and from company to company within any one industry. For instance, in small, entrepreneurial organizations executive personnel are often fewer in number and may wear many hats. As a result, some organizations operate without a CIO and have the CISO report directly to the Chief Financial Officer (CFO). There can be significant risk in doing this. The CFO’s typical focus is on maintaining a “reasonable” budget rather than meeting the needs of the Information Security program. Both goals are important, but if the CFO does not communicate regularly with the CISO and is not sufficiently made aware of the needs of the security function, funding will unquestionably be inadequate, making alignment with frameworks such as 800-53 extremely difficult.

Organizational Culture

How your organization is configured, and the resulting culture, can also have a significant effect on your efforts to align with 800-53,and other information security frameworks. Culture also plays an important role in the identity of your organization. It may be very important to you that you provide and promote a positive culture for your staff to help maintain overall employees satisfaction. It is increasingly popular to structure an organization with a “culture of openness.” However, Adversaries often prey upon organizations that are known to have a culture of openness.

Colleges, universities and other entities involved with research and development are often targets for social engineering, spoofing, phishing, and other email-based malware campaigns. Squelching an organization’s open culture for the sake of security would hinder the company. Rather, you should ensure you understand the associated risks and act accordingly to ensure you can simultaneously support both the desired culture and your information security and risk management programs.

Final Thoughts

Building and maintaining a robust information security program is not a small task. If you are a private sector company that has chosen to align with NIST 800-53, for example, your efforts may include ensuring the operating effectiveness of anywhere from 100+ to 300+ controls. Implementing any one control may not tax your organization’s resources whereas addressing a large number of controls will.

As I have hopefully shown you, efficiently structuring your culture, to allow it to flourish, will have a significant positive effects on your overall information security effort. But you should not fret if your program is not at your target maturity level. It takes time, effort, dedication, and a positive tone that is allowed to permeate throughout the entire organization. As playwright John Heywood was attributed with saying:

“Rome wasn’t built in a day, but they were laying bricks every hour.”

Interested in a security program review? Check out our services page here for more information:

Interested in an 800-53 security assessment? Check out our services page here for more information: