Establishing an effective security organization is always a challenge. Clearly defined responsibilities and scope of authority for security organizations vary widely across different companies and industries. To help address this challenge, I have developed the following model organizational framework for the information security function. As a model, this should be considered a starting point for adapting to a particular environment, not a set-in-stone guide as to the division of responsibilities, nor should it be considered all-encompassing in defining every possible function to be performed.
In preparing this guide, I considered not only the different responsibilities to be performed but also the personalities of the professionals performing them. Not all security professionals are identical, and just as in the medical profession, security professionals tend to gravitate into particular subspecialties based on their personality and interests. Trying to make every security professional a generalist is a recipe for mediocracy and failure, likewise, an information security organization without distinct responsibilities and staff to perform them is no organization at all.
The acronym DIOR, stands for what I consider the key responsibilities of any security organization – Define (the risk & plan), Implement (the plan), Operate (the plan), Respond (to incidents). How these components are organized, as departments within the overall security organization, or spread across multiple departments in a matrixed fashion, is highly dependent on where Information Security sits within the organization and the scope of authority of the Chief Information Security Officer (CISO).
The overarching goal of any security organization should be to defend the brand and operations of the business from cyber threats. Implementing a risk-based security program and plan is the best way to achieve this goal.
To accomplish the objective of defining the security program, the following functions should be performed:
- Determine the likely threats to the organization
- Assess the risks posed by these threats (Impact x likelihood)
- Determine the appropriate treatments for the risks including costs
- Rank/prioritize the risk treatment recommendations based on the organization’s risk tolerance, budgets, constraints, and competing initiatives
- Develop the policies needed to address the agreed-upon risks
- Review/update the policies annually with stakeholder input
- Monitor changes in the threat environment and update risk plans ad hoc and annually
- Monitor the effectiveness of controls in reducing risk and update risk plans accordingly
- Monitor adherence within the organization to defined policies and standards
- Train and ensure ongoing awareness of risk, policies, and controls in workers
- Inform stakeholders and leadership on the plan and progress against it
- Develop and maintain metrics on risk plan performance
- Execute and monitor the risk plan
- Interface with key stakeholders to gain consensus and support, and report progress
- Staff and manage the IS organization
Implementation of the security policy is done through controls, processes, and technologies, which are integrated into the existing environment. A common failing of information security is to introduce controls without consideration of the impact that they have on business/IT operations, worker productivity or ongoing support cost.
Companies tend to accumulate a large and expensive variety of “shelf-ware” – security products that were purchased and never fully Implemented or integrated. Over time this legacy of failed decisions erodes support and trust from the company’s leadership for new tools, technologies and processes to support the CISO’s security goals.
By centralizing and separating the selection of security tools from the development of threat-based policy requirements, the impulse to “buy the silver bullet solution” is reduced, and more rational analysis can be performed.
To accomplish the objective of implementing security controls, the following functions should be performed:
- Evaluate/recommend control technologies and processes needed to meet policy requirements and integrate into the business environment
- Keep abreast of changes in technologies and processes that impact organizational security
- Review/approve changes in the organization’s technology environment
- Develop secure architectures for technology deployment, aligned to the business needs of the organization
- Develop standards for the secure configuration of IT/IS products and services and update annually and as needed
- Work with IT operations in the implementation and configuration of security-related technologies
Operate (Sec Ops)
Operating security technologies effectively is a requirement all too often given short shrift in many organizations, and as a result, expected gains in risk reduction are rarely achieved. Centralizing security operations, and considering the cost of this in technology/process decisions, ensures that costs/benefits are realistically addressed in the evaluation of alternatives.
All too often companies attempt to address these shortfalls by outsourcing the operational responsibility. However, lacking clearly defined roles/responsibilities and metrics for performance, the result is that ineffectiveness has just been moved “out of sight and out of mind” – the end result is still poor performance, there is now just an external party to blame for it.
To accomplish the objective of effective operations, the following functions should be performed (this is much larger than it looks due to the number of technologies typically deployed):
- Operate and monitor the security suite of tools to prevent, detect and respond to intrusions or attacks
- Investigate possible intrusions, raising confirmed or suspected intrusions to the Response team as appropriate to the risk
- Coordinate with IT operations (internal or outsourced) to track and remediate identified issues
A security program that has not prepared for the eventuality of failure is a failed security program. Incidents are inevitable in any security organization, regardless of size or budget. The degree to which organizations are prepared for these events is what determines whether the organization survives or suffers significant costs or even business failure.
A common flaw in security organizations is to not staff for response/recovery as a dedicated function, which is to say that preparation is ad hoc at best as it is left to the rest of the organization. Especially if the function encompasses forensic analysis, dedicated professionals are required in order to be effective as training and focus is required to keep current on constantly changing attack methods and trends.
To accomplish the objective of preparing for and responding to incidents, the following functions should be performed:
- Investigate possible attacks as raised by Operations and coordinate response, remediation, and recovery as appropriate
- Plan and prepare for likely attack scenarios and train participants in what to expect and how to respond
- Monitor operational threat intelligence and alert the organization as needed to significant new threats
- Test the resiliency of the organization and effectiveness of controls on a periodic basis
- Prepare and coordinate outside resources as needed to support response activities
There is no “one size fits all” model for information security, however, without a model and plan, security organizations in my experience tend to evolve organically in response to changing crisis, existing structures, and management pressures. Having a plan for developing a security organization, that is based on the rational needs to solving the problem of reducing risk to the organization, can go a long way toward establishing a firm foundation on which to build a successful and effective information security program.