Take it to the edge

Whether the structure of your security organisation be centralised or federated, it needs buy-in from everyone who will implement...

Whether the structure of your security organisation be centralised or federated, it needs buy-in from everyone who will implement it. Liz Warren reports

Delivering security is not just about having the right tools and technologies - you need the right people in place to implement and operate them. David Williamson, director of sales for UK and Ireland at security consultancy Ubizen, says there are two key factors that will influence hao organisation structures its security function:

  • The level of regulation in that industry sector. "Compliance-oriented organisations tend to have centralised functions focused on enforcement," he says. "In industries that are less regulated, spend on security tends to be lower and security responsibility is often more distributed."
  • The culture of the organisation. "Is it generally a top-down, hierarchical organisation or a more loosely federated organisation with semi-independent business units?" he asks.

Michael Stimson, a principal consultant with security specialist Diagonal Security, agrees that no security structure will work if it is alien to the existing management structures in a firm and is imposed on managers.

The structure is also about how responsive an organisation is to security. "Is it seen as a necessary evil, with people doing as little as they can to satisfy stakeholders?" Williamson asks. "Or is it an intrinsic part of the business, not just to safeguard operations but to build competitive advantage by showing customers yours is an organisation that can be trusted?"

Even with a centralised structure, you need to involve business experts from all parts of the organisation, says Andy Kellett, a senior research analyst specialising in security at Butler Group. "If you centralise security, you have to be certain that any decisions you make can work across the whole organisation."

But, Stimson says, "Devolved responsibilities must be tightly controlled, with everyone working to common practices, because you are only as strong as your weakest link. If you have a centre of excellence that offers support to local units and defines how security should work, you can be confident you are implementing patches and other security improvements across the organisation at once."

Kellett points out that the security function extends to every employee in the company, not just those with a security remit in their job function. "A lot of security problems arise because of a lack of understanding and training among end-users."

The reporting lines for the security function will be dictated by how an organisation views security. Williamson says, "Reporting to a chief operating officer can remove conflicts of interests, such as balancing the desire to meet a deadline for implementing a new business process with the concerns of a security team not happy with the level of security being provided in that package. The down-side of a team separate from the IT department is that it may have a ring-fenced budget which is inflexible in the face of new threats."

The one other essential for Kellett is that there must be someone at board level who has proactive responsibility for security. In that way, he says, the board does not risk becoming complacent and reducing spending on security simply because good security practices in the past mean the organisation has not yet experienced a major security issue.

Northcliffe's committee sets policy     

Northcliffe Newspapers Group manages its IT on a federated basis. Each division is responsible for delivering security to meet its needs, but in line with policies created by a central security committee. Antony Wiltshire is IT manager for the South East and has a seat on the security committee.

"The committee agrees the policy and distributes it to all IT managers," he says. "We expect their buy-in straight away: but because there are five of us on the group and we are coming from different parts of the business, we are confident we can create policies that will not cause detrimental effects on any particular part of the group."  

Policy compliance is confirmed by a security project manager who makes spot checks. And Wiltshire gets strong support at the highest level as his managing director has a background in electronic publishing and an understanding of  IT security issues.

Read more on IT risk management