Security Governance Models and Structures
The figure above displays a matrixed governance model that would serve many large, distributed organizations well. Of course, other example lines of business than the geographical could equally apply. More structures might be shown for completeness. The Information Security Office (ISO) shown with Group IT could be named or report differently. However, I’ll argue the diagram displays the minimum lines of communication, reporting, policy-making and operational control required to manage risk in global, distributed organizations. I hope you find it somewhat intuitive, and plan to explain it fully in another post.
Security teams often have trouble coming to consensus, or making decisions on projects and/or larger governance issues. Sometimes this is a transient problem due to a lack of the right people and skills. It may also be due to disagreements or the “storming and norming” that happens as staff must grow accustomed to working collaboratively in new groups or on new tasks. At other times it is a structural problem within part of the security program itself.
- How can a global distributed company with multiple lines of business – a microcosm of the world itself – maintain a strong security program with any level of operational efficiency?
- How can the same company maintain business agility while keeping its security policies strict enough – but flexible enough – address rising and changing risks?
Centralized security policy and operations
- Security policies, procedures and responsibilities are well established – everyone knows the roles and rules
- Security groups are at the controls – or have dual control and visibility – of the network, infrastructure and applications
- New initiatives, changes and contracts require mandatory security review, involvement and approval
- Each business unit establishes security policy and conducts operations appropriately to its risk level
- Any obligations arising from interdependencies between units are fulfilled via internal (or legal) contracts
- Business units are held accountable by the parent entity for appropriateness of policy, adherence to policy and fulfillment of their contracts
- Operational control is distributed among a mix of centralized and decentralized structures within or between business units
- Common, or consistent, policies control the operations of each structure
- Business needs, risk management and operational efficiency are factored into policies and enforcement or accountability mechanisms
- Shared services enable optimized capabilities while minimizing and strengthening key architectural interdependencies
- Coordination mechanisms manage change and continuously improve architecture and governance structures
Bottom Line
- What governance structures work
- What kinds of policies need to come down from the C-Suite
- What reports and metrics executives should require and monitor to manage risk, promote compliance, audit operations and maintain control
Continued in Part 2: Operating the Matrix and Five Essential Questions for Matrix Security Governance