Security's place in an organization

Security sits in many different places in an organization. The larger the organization the larger and more autonomous security tends to be. In smaller corporations the roll of security often seams to be placed with networking or placed in the hands of the system administrator in charge of anti virus or LDAP/Active Directories. These roll clustering trends so often are due to budgets. As corporations grow the ability to fund a security entity grows; first within these same departments and then more prevalently inside of IT. In mid sized organizations you may actually find a security staff person or two. Commonly these individuals will report to the CIO or CFO. Much like the large organizations where you will find entire security departments reporting to a CIO or CFO.

The question becomes where does security fit in these organizations. I had a manager that once told me that security never brings good news. He was right. Security has become the necessary evil in every organization.  They are an expense nobody wants to put money toward. An extra step in every project that nobody wants to take. Security is the entity that delivers all of the bad news of breaches, viruses, and vulnerabilities. They are also the new expert that informs all of the other segments of It on changes, updates and modifications that need to be made to their infrastructure. But security is also a user, a drain on resources. They have appliances in the fabric of the network that require updates and cause downtime. They require the services f the networking and server administration teams for maintenance on the security equipment. They require assistance from the help desk to deploy their client applications. an they require assistance from administration to deploy and enforce their policies.

So what is the role; where is the place for security? Are they the new manager for the network? are they the new cop on the campus? Should security be broken up into different groups that report to different sections of the organization; engineering to networking and analysis to the CIO and Intel to the CFO? I would suggest that perhaps it is a culture change that an organization needs to go through as a whole. Security should function as a big facilitator. I would propose that in a perfect world Security would not manage any equipment but rather that would all be left to the Server administrators and the networking group. Where security needed a new appliance they would order it and that would be left to IT to get and put in place. Patches would be managed by IT. and Security would not be a part of IT. IT should report to the CIO who should report to the CEO. Security should report to the CFO who should report to the CEO. Or there should be a CSO who reports directly to the CEO. but security needs to be separate from IT and as such needs to be a customer of IT. They should also be the IT consultant.

What am I implying. You could almost have billable hours going both ways; expectations on both sides of the equations. Security has systems in the IT infrastructure; severs appliances, PC's. These all require service and that service should come with expectations. Likewise security has knowledge that they possess and gain from experience and from their equipment that they need to provide IT. Their equipment also provides capabilities that they need to share with IT. Security can provide a service of which IT should have an expectation. This same service cascades out to the entire organization. this is where security can play the role of facilitator. One of the key services that security provides is to facilitate It in providing a more secure product and to facilitate the user base in the organization to demand and support the implementation of a secure product from IT. Providing services such as this help to reduce the bad guy image of security. Enabling the rest of the organization to produce secure solutions reduces the number of times that security has to inform the company of bad news.The more IT can feel like they are partners in these solutions the better things will perform. The more autonomous security is and the more customer based their relationship is with IT the more successful their mission will be.

Every organization faces resistance to the mission of a security program. Autonomy of security inside of an organization, separation from IT, helps with the success of that mission.