Is your security organization ripe for a reorg?

With more than two decades of enterprise security experience, Daniel Schwalbe has seen both how the profession has changed and how the structure of security teams has evolved.

He recounts, for example, how his former security department reported to network operations when he first started there in the late 1990s. Buried deep in IT, he got the sense that “people didn’t want to talk to us.”

But over the years security moved out from under network operations and into a dedicated CISO office. Security then began to branch out.

“There was a central team, but we started identifying individuals in the different departments who could take on a security role. They weren’t part of our team, but they were people who had some security work,” says Schwalbe, who was by then director and associate CISO.

Schwalbe says the value of those partners was immense.

“If you have someone who works there and is security savvy and you partner with them, it becomes a much better situation and you can be a much more effective security department,” he says.

That lesson influences his decisions today as CISO of DomainTools. Following a 2021 merger, Schwalbe says he’s now strategizing how best to organize his growing security team. He’s leaning toward a centralized security department with liaisons into the various business groups who can learn about what each team is doing, more quickly identify their security risks, and then serve as trusted advisors to their work.

“A security team does best when it has the trust and the respect of the other departments in the organization,” Schwalbe says, “because then they know that we’re there to help.”

DomainTools

He points to one interaction that illustrates the value of using liaisons. He says workers in one business group had to keep asking for help accessing information from a secure system. The security liaison recognized the roadblock and, working with others in security, adjusted the permission levels. Security essentially came up with an access subcategory that gave the business team what it needed to efficiently work while still adhering to the principle of least privilege.

“By being more collaborative and actively approaching things rather than waiting for stuff to come to us,” Schwalbe adds, “I’m leaving the place in a better state than I found it.”

Schwalbe joined DomainTools as CISO in January 2022, so it’s logical that as the new security leader he’d consider how best to organize his team.

But veteran security executives and management advisors say CISOs should revisit organizational structure as part of their overall strategic plans and after big shifts in enterprise needs—something nearly every business is experiencing as everyone heads into a post-pandemic world that has embraced remote work, cloud computing, and digitalization like never before.

Finding the right model at the right moment

CISOs have a pick of different organizational models, from highly centralized to federated and varying degrees in between. Experts stress that CISOs should take time to determine which model will work best and how to best implement it, saying that the efforts have a good ROI.

“It’s often not about hiring new people or buying more equipment but operations and how to get the organization to operate more securely that can create the most effective security,” says Adam Goldstein, an assistant professor of cybersecurity at Champlain College and the academic director of its Leahy Center for Digital Forensics & Cybersecurity.

Champlain College

Executives often undertake restructuring the security department after an incident, says Jack O’Meara, who as director of the cybersecurity solutions practice at Guidehouse consults on such projects.

“But I think they should be re-evaluating more often because of the ever-evolving threats and the changing dynamics of the workplace,” he says.

CISOs will find that every organizational structure comes with pros and cons as well as benefits and challenges implementing them.

For example, O’Meara says CISOs typically find that it’s easier to exert control in a centralized model but may give up full visibility into all the technology being used within the organization—particularly if there’s a lot of shadow IT deployed within the business units.

On the other hand, CISOs can more easily partner with business units under a federated model but must be more diligent in setting and maintaining strong governance to ensure that security standards are consistently upheld in all areas of the enterprise, O’Meara adds.

Guidehouse

Given those considerations, he says many CISOs opt for a hybrid model, centralizing some security functions and embedding or liaising security with the various business units as a way to get the benefits of each model while minimizing potential pitfalls.

Schwalbe agrees, explaining that he balances the models’ elements in part by having security workers report to him but encouraging each liaison to be a regular presence in the business units they support by, for example, attending and participating in their meetings.

Time to evaluate

Not unsurprisingly, O’Meara and others say that there’s not one single model that will work best for all. Yet they also agree that CISOs should be making deliberate decisions about how to organize and when to restructure, rather than just going with what they’ve inherited or have always done.

Joe Nocera, leader of PwC’s Cyber & Privacy Innovation Institute, says he advises CISOs to consider several factors when thinking about this topic.

PwC

They should consider what enterprise-wide services their departments see as core services to be delivered at scale—such as a security operations center, identity and access management and policy controls. “Those things tend to be provided as an enterprise service,” Nocera says.

CISOs should also evaluate how and how well security aligns with the business units, he says. “Where security understands the business units and can help tailor security, then you can embed resources in the business,” he says, adding that those embedded resources may have either solid or a dotted reporting line back to the CISO.

And with the increasing adoption of cloud and DevOps, he says CISOs must think about how they support application development teams and how the security department can best support agile development and put security early into that process.

Nocera says such questions are less about the security team’s size and more about how mature the overall enterprise is in its approach to cybersecurity.

“If the organization hasn’t prioritized security, I favor a centralized model where you need to drive things from the center and make sure things are happening,” he says. “But if you have processes and muscle memory and governance in place, you can begin to federate and push some of these things out.”

The value of being deliberate

Like others, Nocera sees benefits to both centralized and decentralized models.

“With centralized, the CISO is able to be more prescriptive. And there’s a higher degree of certainty that resources are executing within the guidelines the CISO expects, and that allows for a little more uniformity of definitions of roles, responsibilities, and workflows. You also have more real-time feedback and course correction.”

As for the latter, he says “because security is close to the business or the development process, they’re likely in the first ideation meetings, so you’re able to embed security earlier [in initiatives]. And you’re getting more ownership from the business unit or developers when they see the security person as one of their team.”

Yet experts say organizational structure isn’t just about understanding pros and cons. Rather, the key is for the CISO to be purposeful in which model to use and why.

“If you are,” Nocera adds, “I think you can get to the optimum security level in either model.”

Steven Sim, global CISO for a large international company and a member of the ISACA Emerging Trends Working Group, has a similar outlook.

ISACA

He says his own security team has a three-tier hierarchical structure. The top tier includes governance, incident management, and a project management office; it works at the global level. Then there are regional offices, and below that are various business units with their own IT and security teams.

Sim says security provides centralized shared services. But it’s structured so that some work—such as compliance with local privacy laws—is handled on a decentralized basis with regions picking up those tasks.

Sim says the company may pull resources from one region to help out other areas when needed, and it coordinates across regions, too, so, for example, the company can determine whether incidents happening in different regions could be related.

“There are certainly areas where decentralization makes sense, but in my view is there is no one size fits all. It depends on the business, its maturity, its agility, and the culture,” he says.

Sim says what may be even more critical is how everyone, including business unit leaders who he says ultimately have responsibility for risk, come together.

“It’s really that all-hands-on-deck mentality,” he says. “Security is increasingly everybody’s responsibility, and everyone has a role to play.”

Gartner director Sam Olyaei, who works as part of the research firm’s Risk and Security Management group, echoes that point. He says security team structure influences success, “but the core issue always remains governance.”

Gartner

Like others, Olyaei says CISOs need to focus first not on their org charts but on how their security departments fit within the larger enterprise, how well the organization as a whole handles risk, how mature its processes and policies are, whether the enterprise is more autocratic or democratic, and how security can best drive standards in that environment.

Solving for those questions is paramount, he explains.

“You can restructure a thousand ways—with different reporting lines, reorganized teams, having a federated or not federated model—but those won’t solve any core issues,” Olyaei says. “Solving underlying governance issues is more important than trying to restructure your way around a problem. That’s something I tell clients all the time.”