CEB Blogs


Information Technology

Information Security: Redesigning the Function

With numerous changes to the work environment, information security functions are increasingly going back to basics and rethinking the kind of function they’d like to be

Org Chart on a BlackboardThough all security functions aim toward the same goal of information protection, there are certainly large differences in how each function is organized to do so. One of the key questions to answer is regarding the activities and responsibilities that should be owned by a security function. Is the function’s current range of activity ownership the most appropriate one? How does the organizational design of one security function compare with those in other organizations?

We have spent a lot of time thinking through these questions and speaking to our members about them. Our research indicates that, while there is no single “right” answer, there are a three themes to consider in particular.

Look Out for Clear Coordination Opportunities

The legal function increasingly appreciates the importance of information risks beyond regulatory requirements. About 85% of general counsel think it is ‘important’ or ‘very important’ to manage technology-related risks, and information security is now a top concern for heads of audit.

At the same time, there is a clear understanding that Security must become more involved in legal activities as well. This has led to a broadening scope of responsibilities for information security as chief information security officers (CISOs) take on ownership of activities such as privacy breach notification, e-discovery, and privacy strategy. Yet, security functions do not consistently take on all related activities, which can create inefficiencies in the broader enterprise. Therefore, Security should carefully consider taking on activities that are closely overlapping with existing responsibilities (see chart 1) in order to drive closer coordination in key areas.

Chart 1: Analysis of Joint Ownership of Related Activities Percentage of respondents

It May be Time to Rethink Security Operations

On the other hand, as security functions move toward a strategic and business focus, it may be time for Security to reconsider the trade-offs of ownership of security operations and, if necessary, to plan for the potential of devolving such operational activities in the future. Given the lack of a consistent view on owning or devolving operations (for CEB Information Risk members; also see chart 2 below), Security functions must carefully think through the pros and cons of three approaches to operations: retaining operations, providing governance without retaining ownership, or simply setting the policy while leaving the adherence and monitoring to other functions. Ultimately, however, the ability to safely devolve operations depends on the process discipline and risk awareness of the whole enterprise.

Chart 2: CISOs’ View of Information Security-Owning Security Operations Percentage of respondents

The Function’s Focus Areas Determine Responsibilities

More broadly, functional focus areas—often determined by larger corporate organizational design—are a key determinant of Security’s responsibilities. Some security functions continue to focus exclusively on pure security execution and operation issues, some focus on strategic governance responsibilities, and others focus on legal concerns. As a result, within the membership, we have found that:

  • Those who focus on the first area typically limit their responsibilities to activities such as operations, incident response, IT security, threat and vulnerability management, and event monitoring and analysis.
  • Those who focus on the second area tend to own activities such as data classification, the setting risk appetites, information risk management, and IT audit and compliance.
  • A portion of security functions have a dual focus on governance and on operations, leading to a more diverse set of responsibilities.
  • The members that take on a legal lens tend to have the greatest variety of responsibilities by taking on e-discovery, privacy, information protection, and many governance and operational activities.

2 Responses

  • Sarah Buerger says:

    Interesting article. I wrestle with this question myself.

    What about network security–firewall rules, proxy filters, etc.? Do we include that when we talk about “Security Operations”? For that matter, what DO you think is inclusive in operations? Does that count laptop encryption? Anti-virus? Is vulnerability scanning operations, but working with other teams to correct vulnerabilities risk management?

    Seems like we have to agree on a definition of Security Operations before we can have this conversation.

    • Jeremy Bergsman says:

      Hi Sarah,

      You make a great point. Many security organizations now have a philosophy of owning specific security capabilities as they are architected and stood up, but eventually devolving them to others (usually IT infrastructure operations) as processes mature and technologies stabilize.

      We couldn’t cover all the detail in the blog post, but we have started to subdivide “operations” into “commoditized” “non-commoditized”, and “identity management” (provisioning etc.). Only 27% of CISOs own commoditized operations, while 63% own non-commoditized operations. More detail on this at the link in the post.

Leave a Reply



Recommended For You

Enterprise Architecture: Plans for 2014

For 2014, EA leaders are much more focused on building business enablement capabilities than they...