Information Security Organization

No matter what the organisational approach that has been adopted there needs to be an established levelof capacity and ownership. Common components should be centrally owned while unique componentscan be distributed. Any use of decentralisation of responsibility needs to ensure appropriate insulation varying levels of trust required by individual businesses and applications.

The day-to-day running of the individual components of the service would be performed by IT security delivery specialists residing within the platform competencies. The IT security delivery specialist:

  • Should be measured on the delivery of the individual security component they are supporting
  • Should be a specialist that is trained in providing 2nd level support for the running of an individual component
  • Should be a specialist in the particular platform they are supporting the security component upon

There needs to be an IT security service specialist that is responsible for delivery of a complete set of security services and not just an individual component. The IT security service specialist:

  • Should be measured on delivery of the service against key performance indicators.
  • Should understand the complete end-to-end architecture for the service in order to assess the risk and impact of any failure to the service.
  • Should provide 3rd level support for the running of the individual components within the security service
  • Should have wider skills and experience of security covering technology, processes and people to assess and act on new risks and issues.
  • Should not necessarily be a specialist in all platform architectures that form the service

Security-Service-Delivery-Organisation
Figure 14: Security Service Delivery Organization

The security management processes and activities will be supported by a security management specialist who will not be a technical specialist that needs to understand the delivery of security services. The security management specialist:

  • Should support the delivery of security management activities performed by the platform delivery teams
  • Should use the Security Service Specialist to support the delivery of the security
  • Should Monitor the key performance indicators of the security services and support managing resolution of issues

The diagram above shows the security roles needed to run a set of security services successfully.

Hours of Service

6aSecurity has traditionally been a 9-to-5 role but this has now changed. The risk from new vulnerabilities and threats being exploited is not limited to the business hours once a business is connected to public networks. The management of security risks becomes a 24×7 issue.

The challenge to organizations is how to manage that risk on a 24×7 basis without increasing the operational costs significantly. The use of a Security Service Dashboard enables general IT practitioners to monitor the effectiveness of security outside a standard business day. Security Services and Security Delivery Specialists only need to be called in, in the event of the dashboard indicating there is an issue. To get the right balance, the dashboard needs to have indicators that balance the risk of the business with the cost of calling out staff. The indicators may have different thresholds depending on the time of day.

Another approach is to outsource the monitoring of the security services to a third-party who has the critical mass of specialist security knowledge to operate on a 24×7 basis. They are able to make skill-based decisions on the risks by examining more than just the KPIs. The value of this has already been seen with the growth of the Managed Security Services solutions being offered.

Security Development Organization

Security is an ongoing process that is supported by governance to ensure compliance across the enterprise and is kept vital with changing business environment, risk profile and technologies. The governance should determine the balance between risk and costs. This should be used to inject the right level of security required in projects.

Distributed development should give security guidelines and standards plus control points through compliance and audit. Centralized development can be contained and controlled more tightly using a full life cycle involvement to ensure all the security controls meet the policy of the organization and are appropriate to the application.