Security: A Shared Responsibility (Part 1)

If you would like to read the other parts in this article series please go to:

Introduction

The concept of IT security is such a broad one that, to anyone who knows anything about the subject, the idea of a single “security solution” is laughable. Likewise, the idea that security is or should be the responsibility of just one person or team makes little sense when considered from a “big picture” point of view.

Governments can appoint security czars and corporations can hire chief security officers (CSOs) or Chief Information Security Officers (CISOs) to oversee and coordinate the security efforts of personnel, but an effective security strategy is and always will be a shared responsibility that stretches outside the boundaries of the company.

Only by working together can software vendors, hardware makers, company decision-makers, implementers, administrators, consultants and end-users thwart the efforts of hackers and attackers (both external and internal), stave off viruses and malware, and prevent deliberate and inadvertent data leakage. It’s a big job, analogous to that taken on by an army protecting its country against an invading enemy force or a police agency protecting a city from violent criminals.

In this multi-part series, we’re going to step back and look at that big picture and how each component (internal job position or external entity) fits into the puzzle, with a discussion of the importance of defined areas of responsibility.

Areas of responsibility

Back when I was a police officer working patrol, a common call was an alarm call that necessitated conducting a building search. This is one of the most potentially dangerous types of calls because you don’t know, going in, what awaits you inside the building. Thus we had protocols to follow, and one of the most basic tenets was to designate separate areas of responsibility for each officer. Our lives depended on each of us keeping our attention on our particular area of responsibility and trusting our partners to do the same.

Similarly, when it comes to an organizational IT security strategy, it’s important for every member of the team to know his/her area of responsibility and to maintain constant vigilance within its parameters. The consequences might not be quite as dire as the life-or-death situation that a building search can be, but failing to do your part of the job could very well mean the life or death of the company’s bottom line, public trust and industry standing. On a more personal level, it could mean the life or death of your career or at least of your next raise or promotion.

Some of the common areas of responsibility within the company security structure include the following:

  • Risk management
  • Security policies and procedures
  • Threat and vulnerability management
  • Endpoint security
  • Network and perimeter security
  • Identity management
  • Access controls
  • Data security
  • Application security
  • Third-party security
  • Privacy
  • Incident response and management
  • Regulatory and industry compliance
  • Business continuity and disaster recovery
  • Physical security
  • Liaison with upper management and other divisions/departments

Of course, many of these responsibilities overlap; there may be several different positions or entities involved in one of these areas, and there may be positions or entities that have responsibilities relating to more than one of these areas. Company structures and job descriptions vary widely, and there’s the added complication that the organization chart and job descriptions that “look good on paper” are not followed exactly (or sometimes at all) in actual practice.

Thus there are no hard and fast rules regarding areas of responsibility. Who ends up being responsible for what is, in some organizations, as dependent on employees’ personalities as on formally described job duties. But the following discussion will, I hope, give you some insight into different ways security responsibilities can be effectively divided and especially the importance of ensuring that all important responsibilities are assigned to someone, and preferably to the person or position most suited to best carrying them out.

Starting at the top: The CSO/CISO

The title, duties and scope of authority of the “top dog” on the IT security heap will differ depending in part on the size and structure of the organization. A large enterprise might very well have both a Chief Security Officer and a Chief Information Security Officer. The CSO might have broader authority and responsibility, including oversight of all security-related matters for the company, including physical security of the premises and assets, employee safety, loss prevention, even bodyguard protection for important executives.

In these large orgs, the CISO might report to the CSO, with the CISO’s focus solely on IT-related security. Or the CSO and CISO purviews might be completely separate, with the CISO reporting to the Chief Information Officer (CIO). Another possibility is that the CSO and CISO positions are roughly equal in the organizational chart, with both reporting to the Chief Operating Officer (COO).

Incorporating CISO duties into the position of CSO or placing the CISO position directly under the CSO can be a way of embracing a more “holistic” approach to security. This makes sense in an environment where physical and digital security are becoming more and more technologically intertwined. For example, the smart cards used to log onto the network may be the same ones used to unlock the doors to work areas. The old CCTV cameras that once monitored the premises and grounds are increasingly being replaced by IP-based cameras that can be accessed across the Internet and thus are subject to outsider hack attacks.

Another advantage of combining the two positions/departments is cost savings, as you may be able to do the jobs with reduced personnel. However, it’s important to insure that those holding these positions have expertise in both information security and traditional physical security, and the higher salaries needed to recruit those with multiple skill sets may offset those savings.

At any rate, the position of the CSO/CISO within the organizational structure is important because it defines the scope of responsibility and to some degree, how “hands on” the officer will be. A job that encompasses both CSO and CISO duties is less likely to be filled by a person with specific technical expertise or even if the person in the position does have it, he/she is less likely to have time to be involved in directly implementing strategies and solutions.

The structural position is also likely to influence the focus of the CSO or CISO. If the position reports to the legal department, the focus is likely to be geared more toward regulatory compliance issues. If it reports to the CIO or IT department, the job may focus more on the technology: firewalls, IDS/IPS, anti-virus/anti-malware, patch management and so forth. If it reports to the CEO or other executive management position, the focus is more likely to be on policies, metrics, risk assessment, etc.

Here is a good article on different types of CISOs and how each fits into an organizational structure:
Who should the CISO report to?

The important thing is that the CSO’s or CISO’s responsibilities be clearly defined. The CISO position typically encompasses both strategic and operational aspects. Responsibilities will usually include some or all of the following:

  • Establish goals and objectives in relation to the company’s security position, based on the company’s overall business strategy and objectives, as well as defining ways of measuring progress (metrics).
  • Develop security policies (in conjunction with upper management) and seeing that those policies are carried out (procedures).
  • Oversee risk management (in conjunction with legal and/or company-wide risk management).
  • Make decisions or have influence on choice of vendors for security-related products and services (hardware, software, cloud services, and so forth).
  • Deploy, manage and monitor security technologies and tools.
  • Oversee patch management, testing and rollout of security updates.
  • Manage operating system and application configuration for best security practices.

As you can see, the first few responsibilities in the list above are more strategy-centric, whereas the latter items are more operational in nature. Some CSOs/CISOs may hand off some of the operational tasks to the IT admins who oversee the network infrastructure. Alternatively, they may outsource some of those operational tasks to outside consultants or move them to the cloud. However, this can make it much more difficult to keep a handle on the operational procedures that are, after all, where all of the strategic decisions and policies are put into actual practice. If the CISO is too far removed from the operational “trenches,” that can lead to policies that are difficult or impossible to implement within the organization or that are ineffective.

“Security is not a one-size-fits-all kind of service. Yes, some features, like DDoS protection and generic threat prevention, are universally important. However, experienced CSOs and CISOs are not really in the market for a completely hands-off solution. Instead, they prefer something that provides them with additional visibility and a higher degree of control.

Not surprisingly, in the last few years, much of our development roadmap was driven by those exact needs, from features that offer a live view of incoming traffic to a custom security rules engine that allows clients to set their own security policies.” 
— Igal Zeifman
Incapsula.com

It’s also important to keep in mind that the CISO and his/her security team don’t operate in a vacuum. A vital but sometimes overlooked aspect of the CSO’s or CISO’s job is to represent the security “story” to upper management within the company and to other business divisions/departments. That means excellent communications skills and the ability to speak the language of management are essential. The CISO (or someone to whom the responsibility is delegated) needs to be able to act as the “PR agent” for the security team, to explain the security requirements and needs to those for whom security tends to be an aggravation rather than an avocation.

Summary

Your organization probably already has a security structure in place, but it may have been well thought out beforehand or it may have just “grown that way.” Even if the former is the case, the situation may have changed as the business and network has grown and taken on new challenges, brought in new technologies and operated in a changing business environment.

It pays to take a “big picture” look at how security is designed, implemented and managed, and the roles and responsibilities of all those involved in the security process. In this first of our series, we looked closely at the role of the CSO or CISO, at the top of the IT security structure. Next time, in Part 2, we’ll continue the discussion with an examination of the security role(s) of IT administrators.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top