Over time, the pendulum between centralization and decentralization of operational tasks has swung back and forth.
In the mid-1990s, the pendulum for security operations swung toward decentralization. It became a specialized and complicated job to manage firewalls, not to mention the 15-20 other types of products that have come to encompass the security ecosystem. At that time, there was basically no way to gain economies of scale by centralizing management, and increasing efficiency while cutting cost is really the only reason to centralize anything.
So what we've seen over the past 10 years has been the gradual centralization of security functions, driven largely by the need to be accountable from an auditing/compliance standpoint. It became too hard to enforce corporate policies and centralize reporting with operations spread far and wide across the globe. This was another reason why the pendulum swung toward pulling everything into a central security group.
But once again this is increasingly changing; a number of organizations are moving security operations into other operating groups, like networking, data center or applications. We as an industry need to figure out if this is a good thing or not. Let's examine the pros and cons.
- Security is intrinsic to all operations – I don't think anyone would argue that security needs to be a consideration at all layers of the technology stack. If security specialists are isolated, the concepts of security tend to be an afterthought or something the networking folks just need to "tolerate." If everyone is on the same team, it facilitates collaboration and ensures objectives are aligned.
- Vendor consolidation is driving leverage – On the technical side, there is clearly a trend in which large technology vendors are adding security capabilities to their offerings. Cisco Systems Inc., IBM, Oracle Corp., Microsoft, etc., all are integrating security into their existing product lines. For example, Cisco considers security a key part of its advanced technology business strategy and IBM acquired security vendor ISS to provide more security knowledge and products. This means there will be leverage in managing network security within the network group, since over time the toolsets will converge.
- Consolidation allows separation of operational duties and program control – In many organizations, the top security officer reports to a non-technology person (CFO, CEO, etc.). This is to ensure the security function is totally objective and independent.
- Influence can be a challenge – If security operations reside within the technical operations groups, the job of the CSO becomes one entirely of influence, since this person controls minimal resources. I don't see this as a huge liability, but it is a different job; it requires different tactics to manage by influence rather than by empire building.
- Reporting can be harder – If network, data center and application security are elsewhere, it's harder to gather all that data and get a consistent, integrated view of what is going on throughout the organization.
- Responding to an incident is more complicated – Incident response can also be problematic when security specialists are spread throughout the organization. And when responding to an incident, speed and decisiveness are critical. In this scenario, the CSO needs to have a well-defined and practiced containment program to ensure the organization can marshal the resources needed to contain a problem when the time comes.
One thing to be clear about is that regardless of where security operations occur and report, security program management must be separate. A company's overall security strategy and the associated program must be managed by a chief security officer. Regardless of whether the CSO reports to the CIO or elsewhere, the buck for security must stop at the CSO's desk. It's as simple as that.
Why? Ultimately, someone must be singularly accountable for the implementation and success of the security program. That someone must be without preconceived notions or biases relating to their areas of expertise. An unbiased security professional can think in broader terms than someone just focused on operating the networks, applications or data center.
What's right for you?
I wish there were a simple answer, but your decision must be based on what is best for your organization and what will work best in your corporate culture. In some cultures, power equals people, and with no people, a CSO will be left twisting in the wind. Other cultures value collaboration and teamwork, and the best move for the CSO would be to move security specialists into the operational teams.
Regardless of which direction you go in today, it will likely move back the other way tomorrow. That just seems to be the natural order of things in the security business. There's a constant need to get better in security, and since internal business processes play a large role in any change, groups and roles will periodically shift as decision makers believe the grass is greener on the other side.
About the author
Mike Rothman is president and principal analyst with Security Incite, an Alpharetta, Ga.-based industry analyst firm specializing in the information security market. After staring his career as a programmer and networking consultant, he joined Meta Group in 1993 and spearheaded the organization's foray into information security. Rothman later founded SHYM Technology, a PKI software firm, and later served as an executive with both CipherTrust and TruSecure. He often serves as a consultant on security management issues, and is a regular speaker at industry conferences. Rothman is also the author of The Pragmatic CSO: 12 Steps to Being A Security Master.