Security Governance Models and Structures

At the root of most consulting engagements we often find a security governance problem. Therefore, we decided to devote some of Security Architects Partners’ next several posts to this Eternal Question: How to govern enterprise security? Should governance be centralized? Decentralized? Strict? Permissive?


The figure above displays a matrixed governance model that would serve many large, distributed organizations well. Of course, other example lines of business than the geographical could equally apply. More structures might be shown for completeness. The Information Security Office (ISO) shown with Group IT could be named or report differently. However, I’ll argue the diagram displays the minimum lines of communication, reporting, policy-making and operational control required to manage risk in global, distributed organizations. I hope you find it somewhat intuitive, and plan to explain it fully in another post.

Let’s just say attaining security nirvana is not as easy as drawing a picture and implementing security governance. Fiefdoms, personalities, turf wars and turbulence work against the clean operation of any theoretical governance model and it takes time, patience and top down support for any model to settle down and thrive. Even a good model might not work, but a bad model almost certainly won’t work. 

Security teams often have trouble coming to consensus, or making decisions on projects and/or larger governance issues. Sometimes this is a transient problem due to a lack of the right people and skills. It may also be due to disagreements or the “storming and norming” that happens as staff must grow accustomed to working collaboratively in new groups or on new tasks. At other times it is a structural problem within part of the security program itself. 

In the industry, we’re seeing the job of managing security and risk get harder. Compliance is becoming more complex. Government regulations are being handed down and then spread to third parties through contracts. The number of cyber criminals, the tools available to them and the risks they create are increasing. Continuing IT innovation – while positive for IT operational efficiency in the long term – creates disruption and more complexity in the short term.
So let’s tackle the following questions:

  • How can a global distributed company with multiple lines of business – a microcosm of the world itself – maintain a strong security program with any level of operational efficiency?
  • How can the same company maintain business agility while keeping its security policies strict enough – but flexible enough – address rising and changing risks?
There’s no one way to do this, but there are some basic structures we can confidently work with if we have competent, empowered people or teams in key roles. Understanding such structures is the first step toward modeling the future of security governance.

Centralized security policy and operations

  • Security policies, procedures and responsibilities are well established – everyone knows the roles and rules
  • Security groups are at the controls – or have dual control and visibility – of the network, infrastructure and applications
  • New initiatives, changes and contracts require mandatory security review, involvement and approval
Decentralized security with strong risk management and accountability 
  • Each business unit establishes security policy and conducts operations appropriately to its risk level
  • Any obligations arising from interdependencies between units are fulfilled via internal (or legal) contracts
  • Business units are held accountable by the parent entity for appropriateness of policy, adherence to policy and fulfillment of their contracts
Matrixed security with well-articulated communication and control
  • Operational control is distributed among a mix of centralized and decentralized structures within or between business units
  • Common, or consistent, policies control the operations of each structure
  • Business needs, risk management and operational efficiency are factored into policies and enforcement or accountability mechanisms
  • Shared services enable optimized capabilities while minimizing and strengthening key architectural interdependencies 
  • Coordination mechanisms manage change and continuously improve architecture and governance structures


Bottom Line

 Realistically, most large enterprises are going to tend toward the matrixed model. But when you think about it, matrixed security is just an assembly of centralized and decentralized security components, similar in concept to the “lines of business” level in my governance diagram. It is what naturally evolves in a large organization – hence I would characterize it as fractal in nature. As security architects we have to get more effective at advising executives on:
  • What governance structures work
  • What kinds of policies need to come down from the C-Suite
  • What reports and metrics executives should require and monitor to manage risk, promote compliance, audit operations and maintain control

 Continued in Part 2: Operating the Matrix and Five Essential Questions for Matrix Security Governance

Subscribe to Blog Notifications...  HERE