This blog post is part of a multi-part series on designing an information security program that aligns with your most important business objectives. You can also watch the recorded webinar on this topic for more ideas.
Security, privacy, and compliance are not technical problems to be solved by subject matter experts. These issues are top-down initiatives directly tied to revenue generation, company reputation, and the long-term sustainability of your organization.
The fact is that if your organization does not implement an effective security program and has the ability to effectively articulate your security program to others, you will not be able to gain/maintain the trust of your prospective and existing customers, partners, or stakeholders. Few other business problems are as significant.
In this chapter, we will discuss how to optimize your organizational structure to seamlessly overlay security and compliance without burdening your leadership team or creating unnecessary bureaucratic burden. We will also present a variety of organizational structure options based on your organizational maturity, as well as outline the typical roles and responsibilities of leadership.
Pillars of Security Program Organizational Structure
First, let us discuss the pillars of a security program organizational structure. These are common elements of almost any security program regardless of organizational size or overall maturity.
- Top-Level Leadership – Includes members of the executive team that have the authority and insight to make decisions on behalf of the business. They can appropriately level-set security relative to other business priorities and will ultimately drive strategy, mission, objectives, and culture. The executive sponsor will also be charged with budgetary approvals.
- CISO (or equivalent) – Ultimately, someone responsible and accountable for the security program. In many organizations, that will be an official CISO, while in other organizations, this will be an individual who holds security as an additional duty or chairs the security committee. In either case, a single individual should be charged with formally owning the security program.
- Information Risk Council (IRC) – The IRC (called by many names) is a cross-functional committee that will plan security strategy, drive security policy, and set priorities. The primary goal of the IRC is to get all stakeholders in the business at a single table on a periodic basis to make decisions related to information security. Since these types of decisions should be directly tied to business objectives and informed by activities across the organization, it is imperative the IRC be cross-functional and have representation from multiple business units. This is a big commitment, and we will discuss later in the chapter how to make this a valuable meeting.
- Functional Area Leadership – Functional area leaders (such as members of human resources, engineering, operations, etc.) play an important role in governing the security program. They will drive functional or business unit strategy and decision making in line with the top-level mission, objectives, culture, and policies.
- Security Champions – Most organizations will not have full-time security professionals embedded in every functional area. As a result, the organization should identify “security champions” in each department that are not official security resources but will act as an advocate of security. These individuals will often receive special training and be your primary point of contact and “influencer” to help seamlessly integrate security with day-to-day business operations.
The Information Risk Council (IRC)
The IRC is the most important element of a security program’s organizational structure. It is the structure that provides the security program cross-functional authority and visibility while simultaneously granting functional areas autonomy to carry out business functions in a way that makes the most sense. It is the right balance of top-level governance and functional area freedom. As you will see in the example organizational structures below, the IRC plays an important role regardless of organizational size or maturity.
Why Establish an IRC
The IRC solves many problems in the traditional security program organizational structure. If you are getting pushback from leadership about forming an IRC, here are a few business reasons to charter the organization:
For the IRC to be effective, it must be cross-functional. The fact is, information security is not a stand-alone business function, but rather an overlay into every aspect of the business. However, it must be recognized that you do not want to waste any team member’s time (especially executive team members).
The IRC must have the right members, the meetings must be crisp, and everyone must find value in attendance. We will discuss in a chapter xyz/post link how to design effective meetings.
Below is an example of potential members in your own IRC.
IRC Roles and Responsibilities
Once you have identified the right stakeholders to join the IRC, it is important that you clearly communicate roles and responsibilities. This should be formally documented in an IRC charter. Here are a few of the key elements of an effective IRC charter:
- Ratify policies and procedures
- Grant policy exceptions as appropriate and in accordance with risk treatment
- Provide oversight to project teams accepting risks for the organization
- Provide reporting and transparency into risk management via reporting to the top-level leadership and the board of directors
- Ensure compliance with enterprise policies and regulatory controls as related to risk assessment and risk management activities
- Establish and facilitate the risk management program, processes, and reporting
- Perform an annual information technology risk assessment per the risk management policy to identify risks
- Document identified risk in the risk register for tracking and remediation
- Evaluate, determine, and approve risk treatment plans for identified risks (this applies to projects, integrations, acquisitions, operations, contractual agreements, and all other activities which may introduce risk to the organization)
- Obtaining project and associated budgetary approval from the appropriate stakeholder(s) prior to initiating any risk treatment projects
- Regularly report to the executive team and board of directors about committee activities, issues and related recommendations including distribution of minutes of all audit committee meetings
- Provide an open avenue of communication between the CFO and the rest of the executive team
Common Organizational Structures by Organizational Maturity
Now that we understand common organizational components and the critical role of the IRC, let’s explore three common organizational structures: start-up, small/medium businesses, and enterprise organizations.
Profile: 0 – 250 employees, modern cloud-based technology stack, lean operations, flat organizational structure, zero (or very few) pre-existing processes to consider.
Typical Challenges: The start-up is a fast-moving organization that must accomplish very much with limited resources. As the organization acquires new clients, they will face new security and compliance requirements (contractual requirements, due diligence questionnaires, and certification requests) that are directly tied to the organization’s ability to acquire new clients.
Keys to Success: The start-up will have limited resources to dedicate to security. As a result, security will likely be a shared responsibility. Since security is not yet formalized and resources are shared, forming an IRC will be critical. To scale, the start-up must integrate security into their organization from the beginning (culturally as well as with modern cloud technology).
Organizational Structure Nuances: The start-up probably will not have a traditional CISO. Instead, security will likely be a shared responsibility. In larger start-ups, there may be mid-level managers and subject matter experts in security or compliance roles. As a result, the security program may lack executive authority to request resources and budget. In this case, top-level leadership and the IRC must act as the executive authority for information security initiatives. The organization will need to identify and train security champions across the business who can manage security as an additional duty.
Small-Medium Business (SMB)
Profile: 250 – 2500 people, organizational structure complexity is increasing, likely leveraging mix of modern technology stacks and legacy systems, the organization is large enough to present communication challenges, some pre-existing processes that will need to be considered or replaced.
Typical Challenges: SMBs have reached the size and complexity where they will need to formalize an approach to information security. Cross-functional organizational communication, stakeholder buy-in, and consistent implementation of security controls becomes difficult. Top-level management’s span of control does not reach all employees or managers, so they will need to have buy-in from middle management across the organization to effectively implement/control security. The security attack surface is larger, so the likelihood of attempted security events has become an inevitability. Security cannot be an ad hoc function and will require a leader at the helm, a formal security budget, and organizational structure. Change is sometimes more difficult for SMBs because it will often involve retiring old processes before new processes can be established, consulting additional decision makers, and additional bureaucracy that does not exist in the start-up.
Keys to Success: The SMB will need to form an official security organization. Finding a CISO and building a team is a requirement for long-term success. Security training and consistent implementation across the organization will be essential to the company’s next stage of growth and maturity. Embedding security into various departments including establishing KPIs to report to the executive leadership team and board of directors will help top-level management delegate security while ensuring it is well managed.
Organizational Structure: The SMBs organizational chart will be expanded to include a formal security organization reporting to the IRC. This new security organization will include a security program leader, compliance specialist(s), as well as application and network security subject matter experts. The organization will need to identify security champions for departments where full-time security resources do not exist.
Profile: More than 2500 people, significantly complex organizational structure with many business units, a mix of modern technology and legacy systems, many established processes to consider, every decision must consider many stakeholders.
Typical Challenges: Organizational change is slow and requires significant strategy, cross-functional coordination, buy-in from various stakeholders. Decisions tend to be complex due to the variety of technologies in place, geography, competing priorities, and stakeholder interests. Many business units may merit unique security sub-organizational-structures to accommodate their specific business needs.
Keys to Success: The security program leader must be a seasoned executive with the skills and experience to navigate organizational change and stakeholder influence. A formalized and effective security program organizational structure must exist to drive effective governance and change management. Formalized training and communication mechanisms must exist. Appropriate resource allocation (budgets and personnel) must be sufficient to support the security program. Separate business unit organizational structures, budgets, and resource plans may be required.
Organizational Structure: Organizational structure will vary widely based on the complexity of the organizational structure. Largely, it will be an expansion of the SMB organizational structure copied across business units, geography, or child companies. Corporate security may operate as a shared service. If business units or subsidiaries are large and complex enough, it may be necessary to introduce Business-level Information Security Officers (BISOs).
We have an Organizational Structure, What’s Next?
Now that you have designed your security program organizational structure, your organization should be well-positioned to govern and optimize your security program. Your organization will also be able to effectively communicate expectations and accountability. Clarity will help eliminate uncertainty and help align the security program with your most important business initiatives.
If you found this post helpful, stay tuned for part 3 of this series where we will discuss how to develop a security program budget that supports your organization’s strategy.