Failures of business and IT teams to engage in the security-related activities relevant to their security-related roles are often failures of security governance. Perhaps the security function in the organization isn’t structured right, or the security policy doesn’t reflect the business priorities. Symptoms of security governance model challenges, or lack of maturity, include disengaged business units and perverse incentives for the security program.
There are three basic types of security governance models: centralized, decentralized, and matrixed. Which one is optimal? Generally, the model should align with the way that the business itself is governed and/or the way it provides IT services. For example, if the business has subsidiaries each operating their own IT fiefdoms, security cannot be fully centralized.
Many medium and large, complex organizations are tending to become more decentralized in the age of the digital business. To fulfil enterprise security requirements, they tend to need some form of matrixed security governance. For example, a CISO might provide overall security leadership, while operations are farmed out to IT groups in various business units. The CISO position itself could report to IT, or it could report to another executive business function such as the CEO or the Chief Risk Officer (CRO). There are advantages and disadvantages either way, and the right answer must be aligned with the business and IT culture and any operational or regulatory requirements.
Friction with business units can result from having the wrong security governance model, and security-related activities become more difficult to accomplish.
Applying the right Securityy Governance Model
The security organization is just one organization in the business. It must work with executives, IT, development, corporate administration, and LOBs. Many security-related roles must be carried out by business leaders and staff outside the core security organization.
The security governance model, or structure, defines the way the security organization and the security program relate to the rest of the business.
There arefundamentally three security governance models:
Centralized
In a centralized security governance model, one person or department makes all the important decisions, controls operations, resolves disputes, and sets the strategy and the budget for security. Responsibilities can be delegated but managers still report directly to a single leader who serves as a central authority. Centralized governance with strict hierarchy is typical of military and often civilian government and some corporate organizations.
This kind of centralized security governance model is suitable for some security cultures and industries. But outside of those, it may face challenges as digital businesses become flatter, more decentralized.
Decentralized
In the decentralized model, multiple organizational units operate security programs independently. This is common among multinational organizations or businesses that have grown by acquisition. Each organizational unit in this model has its own security team.
The decentralized model doesn’t preclude the business from requiring units to coordinate on developing shared services or from following some common standards.But if a decentralized organization has a CISO at the enterprise level, this CISO will tend to be in a weak position. Don’t be fooled by the “Group CISO” title you sometimes see in this case. In the decentralized model, each line of business (LOB) manages IT and security according to its own needs.
Matrixed
Matrix security governance structures can coordinate the management of cybersecurity for very large organizations. For example an organization that operates governance at four levels.
- Lines of business and IT services:
At the lowest level, LOBs or regions run their own IT functions; however, some commoditized services such as email systems and endpoint anti-malware may be shared. LOBs and regions may also use cloud computing services from diverse vendors.
More strategically in the model, local business units can plan for future iterations of the applications and shared services they need. They may share in the costs for shared services. There may be representatives from the CISO function on liaison to the business units, or business unit staff may have a dotted line responsibility to the Group CISO.
- Cross-functional working groups:
Moving up a level, matrixed organizations typically have an enterprise CISO and CIO function, for example, a “Group CISO.” However, larger business units beneath them may also have CISOs. Exact titles vary between companies, as do reporting structures. The Group CISO/CIO organizations provision and protect the shared services. They continually interact with the local functions to enable, approve, or coach the lower echelon security management.
The Group CIO manages the architecture and operations for shared services, and either the CIO or CISO manages security services or security components of shared IT services.
- Executive committees:
The Group CIO and CISO also interact on a peer-to-peer basis with the heads of business administration, that is, HR, legal, and finance, to address share budgeting and procurement processes. Cross-functional working groups may exist permanently or form temporarily to undertake major risk assessments, approve changes, or develop new architectures. The executive committees report up to the Board and executive levels. For complex organizations – such as multinational corporations with subsidiary legal entities – multiple layers of reporting may be required.
As with the centralized governance model a security team or department reports to the CISO. But in the matrixed model, some members of the team may work for other functions but have “dotted line” reporting to the CISO. In general, matrix structures require well-articulated cross-functional and cross-divisional roles and working groups, processes, accountabilities, and lines of communication and control. Key questions: Is the matrix structure well designed or not? Does it suit the organization’s culture?
- Board (and executive-level) meetings:
Operating a matrix organization is challenging precisely because of the cross- functional dimensions. Research suggests that most cross-functional teams are dysfunctional. Why then do so many organizations adopt the matrix model and then struggle with it? The answer: Once an organization gets to a certain size, or a certain level of complexity, there may not be an alternative. Perhaps, for large or complex organizations, one might repurpose an old joke about democracy: “Cross-functional governance is the worst form of governance there is except for all the others.”
Many matrix governance structures are not pure; Organizations often have hybrid or composite governance models. An organization with composite governance could be decentralized as a whole but contain one or more large lines of business that operate in a centralized or matrixed manner. Each LOB might be large enough to form an enterprise. Corporate conglomerates and large national or state governments often have composite governance.
Security Governance Model Trade-offs
If we were to imagine a continuum between highly centralized and decentralized security governance models, we wouldn’t have to go too far toward either extreme before seeing issues and disadvantages.
Too centralized means rules for security governance may be too rigid. Some LOBs need more flexibility and, in the end, may not cooperate with security strictures. Too decentralized and LOBs will likely duplicate security efforts (or make inadequate efforts) creating inconsistent security controls that make it hard for the business to respond coherently to common threats or compliance requirements.
Given the trade-offs between centralized and decentralized models, organizations often turn to the matrix model in search of a sweet spot.
Any of the three models can work if applied in the right way in the right place. However, in some cases security governance structures result more from happenstance and personalities than from well-thought-out organizational thinking and thus may not be properly aligned with the business culture.
How Can ITM Help You?
IT Minister covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Mobile Device Management, Cloud security best practice & architecture and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.