The Security Organization

Over the coming months I’ll be writing a series addressing key challenges that CISO’s face – challenges that security folk typically don’t get trained on – and how I personally solve these as a CISO. I hope this will be a source of inspiration for other CISO’s and at the veorry least, a useful resource for others who are starting to move into this space.

I’ll be covering topics such as designing an organizational structure, optimizing the organization, effective strategy & planning, winning over the business, staff attraction & retention, the mindset of a CISO & much more. 

Organizing the security organization 

The first topic I want to consider is organizing the organization. For the purposes of this post, when I talk about “the organization” I’m referring to the teams that the CISO has line management of – not the rest of the business. As CISO’s we will typically end up running an organization which is made up of a number of internal experts & outsourced partners. I run an organization which is made up of experts in application security, penetration testing, cloud security, data privacy & protection, security operations, infrastructure security, compliance & assurance and more. Managing an organization is not – in and of itself – a unique task, however deploying an organization to reduce complex risk as ~ efficiently as possible ~ is nothing less than a work of art.

The challenge many CISO’s have is to ensure that the organization is appropriately structured in terms of size and capability in order to deliver the security & privacy strategy for the organization and its customers. The strategy will almost always include risk reduction which can manifest in a diversity of programs and initiatives across the business which impact the enterprise and any products or services sold by the business. In addition, a strategy may also involve ensuring that customers have true agency over their data (privacy), that customers have assurance in the services or products provided by the business and that investors know they are buying an asset that they can have confidence in. In practice, deploying an organization to facilitate these things can be a very complex task and so it is absolutely essential that the CISO is able to regularly assess the performance of their own organization to ensure it is optimally delivering value to the business.

So if keeping the security & privacy organization performing at peak is so important, how do we do it? In order to remain optimal, here are a few essential characteristics that the organization needs to be – or have:

Extrospection

The first characteristic is extrospection. The organization must be structured to systemically have a high level of awareness of the external environment. This can include awareness of external risks & threats, threat actors, industry trends, market competition, the broader organization, emerging technologies, modern architectures and so much more. This should be both an individual & cultural imperative and also something that is systematized across the organization. Without this information, the organization will fail to understand what threats are meaningful, what competitors pose a risk, what emerging regulations will impact the business, what industry trends can be exploited and how to effectively influence the broader organization – amongst other things. Without awareness of the external environment, the organization will lose its identity, purpose and grasp on reality and this will result in a failure to deliver the strategy and add meaningful value to the business. Unless such awareness is carefully systematized and infused in culture across the security & privacy organization, the outcome could become existential – for the business and/or the CISO!

Empowered

The organization needs to have the power it needs to carry out the strategy. In practice, this means the organization needs to be resourced appropriately, partnered well, that the right levels of governance, leadership and sponsorship are in place – and that the entire security organization has trust of the business. The CISO needs to ensure that no parts of the org are spinning wheels and that when spinning wheels are encountered the problem is quickly addressed so that the rubber can once again hit the road.

Trusted

Trust is not just something the CISO needs to build personally, it’s something that needs to exude from the organization. When partners, external stakeholders, customers or prospective employees look into a security organization, they need to feel they can trust it. 

Engineering trust happens from the ground up – it doesn’t happen using the :wave hand: emoji. Trust is built every time you introduce or adjust a process; it’s built every time you implement or change a system; it’s built or lost every time you make a change to the organizational structure. 

As a CISO, trust is scrutinized and subsequently won or lost with every single word you use and every single action you take. Likewise, this applies to the security organization overall. To use an analogy, the security organization has a ‘trust bucket’. Every day, the org is performing thousands of interactions per day with stakeholders (process & system interactions, staff communication, etc). Every interaction has an effect on your organization’s trust bucket. Either someone (ie. an individual or team) or something (ie. a process) is spending that trust – or they are earning it. As the trust bucket depletes, the level of noise increases, degrading the ability of the organization to meet its operational and strategic objectives. As the trust bucket fills, the reverse happens and the organization is celebrated.

A key ingredient I use for building a highly trusted organization includes attracting, retaining and building field experts/leaders who are effective communicators, humble (low-ego) and who embrace a culture of psychological safety. 

Agile

The external environment is constantly changing; new threats, new vulnerabilities, new geopolitical challenges, new regulations, new frameworks. Not only this, the broader business will also experience changes in persuit of its mission. As these changes happen, the security organization needs to be able to pivot and adapt quickly in order to exploit both tactical and strategic opportunities. This is a working philosophy that individuals need to be personally invested in as well as something that needs to permeate the org structure & culture.

Agility & change is usually accepted more readily when the ROI is clear. Articulating the ROI is something that organizational leaders need to be in the habit of doing in order to drive the change that is needed.

Capable

The organization needs to have the right set of capabilities in place to support the delivery of the strategy. This is not just referring to technical or SME capabilities (which are important) but also soft capabilities such as the ability to communicate powerfully, the ability to influence, personal resilience and more. 

Understanding who should do what, what capabilities are deficient and how to rectify this is something that only the CISO will need to have the final say on. 

Tuned

Finally, the CISO needs to treat the organization like a living breathing organism – it needs constant care & constant tuning. CISO needs to understand current and emerging threats to the organization itself and also emerging constraints to any of the above to ensure they are managed before it is too late.  

As part of this, CISO’s need to consider:

  • The management of the supply and demand of resources. There is a great article covering this here by GCP’s CISO Phil Venables which goes into a bit more detail on this in context of security budgets. 
  • Regulate the speed of systematization – sometimes teams & services need more systematization, sometimes they need less. The CISO needs to ensure that the organization is maturing and growing at a practical and sustainable rate. Striking a balance of investment here is important. Doing things for the sake of doing them is wasted investment.
  • Ensure that the organization structure is actually delivering the outcomes needed by the business. Tracking this with metrics is a great way to monitor this. I’ll write a separate post later on what metrics can be useful in this context.