With numerous changes to the work environment, information security functions are increasingly going back to basics and rethinking the kind of function they’d like to be
Though all security functions aim toward the same goal of information protection, there are certainly large differences in how each function is organized to do so. One of the key questions to answer is regarding the activities and responsibilities that should be owned by a security function. Is the function’s current range of activity ownership the most appropriate one? How does the organizational design of one security function compare with those in other organizations?
We have spent a lot of time thinking through these questions and speaking to our members about them. Our research indicates that, while there is no single “right” answer, there are a three themes to consider in particular.
Look Out for Clear Coordination Opportunities
The legal function increasingly appreciates the importance of information risks beyond regulatory requirements. About 85% of general counsel think it is ‘important’ or ‘very important’ to manage technology-related risks, and information security is now a top concern for heads of audit.
At the same time, there is a clear understanding that Security must become more involved in legal activities as well. This has led to a broadening scope of responsibilities for information security as chief information security officers (CISOs) take on ownership of activities such as privacy breach notification, e-discovery, and privacy strategy. Yet, security functions do not consistently take on all related activities, which can create inefficiencies in the broader enterprise. Therefore, Security should carefully consider taking on activities that are closely overlapping with existing responsibilities (see chart 1) in order to drive closer coordination in key areas.
Chart 1: Analysis of Joint Ownership of Related Activities Percentage of respondents
It May be Time to Rethink Security Operations
On the other hand, as security functions move toward a strategic and business focus, it may be time for Security to reconsider the trade-offs of ownership of security operations and, if necessary, to plan for the potential of devolving such operational activities in the future. Given the lack of a consistent view on owning or devolving operations (for CEB Information Risk members; also see chart 2 below), Security functions must carefully think through the pros and cons of three approaches to operations: retaining operations, providing governance without retaining ownership, or simply setting the policy while leaving the adherence and monitoring to other functions. Ultimately, however, the ability to safely devolve operations depends on the process discipline and risk awareness of the whole enterprise.
Chart 2: CISOs’ View of Information Security-Owning Security Operations Percentage of respondents
The Function’s Focus Areas Determine Responsibilities
More broadly, functional focus areas—often determined by larger corporate organizational design—are a key determinant of Security’s responsibilities. Some security functions continue to focus exclusively on pure security execution and operation issues, some focus on strategic governance responsibilities, and others focus on legal concerns. As a result, within the membership, we have found that:
- Those who focus on the first area typically limit their responsibilities to activities such as operations, incident response, IT security, threat and vulnerability management, and event monitoring and analysis.
- Those who focus on the second area tend to own activities such as data classification, the setting risk appetites, information risk management, and IT audit and compliance.
- A portion of security functions have a dual focus on governance and on operations, leading to a more diverse set of responsibilities.
- The members that take on a legal lens tend to have the greatest variety of responsibilities by taking on e-discovery, privacy, information protection, and many governance and operational activities.