Building the Security Organization
The organization that administers ESP determines the project's success or failure. Two principles are crucial to success:
The quality and security of data must be the responsibility of the business unit.
The distinction between security management and security administration must be clear.
Today, as in the past, IT organizations often assume responsibility for the quality and security of enterprise data. Because they write the security code into some applications, programmers sometimes have responsibility for devising the security policies that govern access to data. This allocation of responsibility is not appropriate. Business unit managers should understand the rules that apply to their data better than anyone else. However, to express those rules in a usable form, they need guidance from managers who specialize in security.
A "best practice" model for an enterprise's security organization is built on defining four roles associated with security. Three of them are security department positionssecurity director, security manager, and security administrator. These roles are associated with different skill sets, training, responsibilities, and pay scales. The fourth roleresource ownertypically is not a full-time job. Resource owners are managers within the lines of business who have been assigned responsibility for setting security policy under the guidance of a security manager. These distinctions are important because, when job descriptions are not defined, crucial tasks are often left undone. For example, resource owners typically focus on customer service. As a result, this priority takes precedence over proper policy enforcement. Emphasizing customer service over security concerns can open holes in the security system. On the other hand, if the security staff members lack resource knowledge, they may define weak policies.
The actual staffing levels for the security organization can vary widely by enterprise. Staff size is determined primarily by the value that an enterprise associates with security, ranging from very high for some government installations to very low in noncompetitive industries, and by the level of success of its investment in automation.
The person who leads the security department usually works at the level of a director or vice president. In addition to coordinating departmental activities, the director of security must perform some key leadership tasks. The marketing programs described later in this chapter are divided into two sections: upward (to executives) and outward (to business unit managers and other nonexecutive staff). The director has primary responsibility for the upward marketing program. The structure of domains created in the next chapter can have significant implications for staffing levels, job assignments, and even the success probability of ESP. The director of security must understand the implications of that structure before committing to it.
Security managers work with the resource owners to ensure that technology is applied properly. Security managers understand how resources can be protected and how the lines of business operate. By applying technology to the business problem of resource security, they can design and implement secure systems. Security managers are advisers and trainers. Most resource owners are managers. To be effective, their advisers in the security organization (the security management staff) must be at a similar management level. Security managers develop the strategies and determine the policies that apply to the business units and the enterprise.
All organizations experience change. Keeping security systems synchronized with that change is imperative. Employee transfers and resignations must be reflected rapidly (ideally, within minutes) in enterprise-wide security authorization databases. Security administrators perform administrative tasks that implement policies, such as assigning authorization levels to individual users.
In a role-based authorization scheme, the constant remapping of individuals to their appropriate corporate roles creates a constant work volume as corporations adapt to new business environments.
Security administration systems based on the older, application security models, rather than role-based or data-centered models, are considerably more taxing to security administrators, as they simply cannot keep up with the level of change in the distributed environment.
For example, under the older model, when an employee is fired, the security staff must find every place that employee is defined and delete his permissions. In a company with 4,000 servers, each housing multiple applications, sometimes hundreds at each server, just finding those authorization records can take weeks. The same effort is needed when someone changes jobs or when a new person is hired. Many companies say that it takes them three weeks to add a new employee because of this work overload. Efforts to automate, or at least simplify, this area are a top concern for security product vendors.
Resource owners are not in the security organization; they work in the business departments. An enterprise secures resources to protect their business value. The knowledge of that value, and of changes in that value when the resource is used or updated, must come from the responsible business units. Most resource owners understand business value but have little understanding of the technology used to protect it. After security management has defined a resource classification scheme, the resource owners should determine the classification of each resource. Step 2 of this book presents more information on the classification of resources in detail.
Where Security Reports
Most enterprises categorize security organizations as an IT functionideally as a chief information officer (CIO) staff function. The relationship between security and information technology must be strong, because IT personnel install and maintain the security staff's primary tools.
Most security organizations use existing staff to meet new demands whenever possible; therefore, they grow without an organizational strategy. As a result, job descriptions have expanded and become more heterogeneous and less uniform in the industry.
Consequently, replacing personnel is now more difficult. Selecting and scheduling training for security staff is also affected. The need to move to distributed security architectures has exacerbated the situation, as organizations have tried unsuccessfully to map significant retraining needs to existing job descriptions.
Using the current technology transition from centralized to distributed paradigms as an opportunity to reorganize the security organization offers the best solution. Enterprises can implement new structures and new job descriptions as a part of adopting ESP. This transition can also drive structural changes in IT organizations. The traditional "stovepipe" IT organization shown in Figure 1.1 grew new legs as each new technology was added to enterprise environments. Organizations promoted technical specialists to management above their particular area of technology specialization.
Figure 1.1 Traditional Stovepipe IT Organizational Structure
New application paradigms such as client/server and Web-based design that distribute application components across many of these traditional applications have forced reassessment of this organizational style. In the stovepipe organization, security typically reports within the data center structure only because the data center is the most security-conscious organization in the enterprise.
A more-effective style of organization is shown in Figure 1.2. This function-oriented organizational structure integrates existing as well as new technologies, and the structure provides clear lines of responsibility for the success of business-oriented IT functions.
Figure 1.2 Function-Oriented Organizational Structure
It also shows the security staff reporting directly to the CIO. This design is an important reporting structure. Security should be centralized in a single department that can make sure that policies are applied across the enterprise with no gaps between departments, branches, and user domains. In addition, it should report to the CIO rather than a senior-level IT manager, because the IT department is frequently the source of security compromises, so the security staff must be able to bypass IT staff to speak freely and directly to the CIO.
The ideal time to establish a centralized, technology-independent security department is during the transition to a function-oriented organizational structure.
Building Security Job Descriptions
The rate of technological change will continue to accelerate, and the jobs of today might have relatively short lives. Because of this factor, as many security functions as possiblein fact, all computer-support functionsshould be automated.
The functions of a pure security administrator will soon disappear. As enterprises automate these functions, fully distribute them to their business units, and assimilate them into other job functions related to human resources, security administration will no longer be a separate business discipline. This projected change has significant implications for organizations that are now outsourcing their local administration functions. They may be locked into long-term outsourcing contracts at a time when they need to absorb these services into their business units.
Security management will continue as a required business discipline, but the number of practitioners will diminish as resource ownership becomes a more accepted part of management responsibility outside the security organization.
As with jobs, job descriptions developed now will have a shorter life than their predecessors and will continue to change as the technology changes. Thus, management should shorten the time invested in creating these descriptions. The templates that follow provide sample job descriptions.
These templates aim to be comprehensive. Most organizations will select portions of the templates; very few will use them in their entirety.
Sample Templates of Security Job Descriptions
Director (or Vice President) of Security
Summary: Leads company in adopting and accepting appropriate security procedures. Manages department that ensures appropriate security controls are in existence and in force throughout the company.
Duties and Responsibilities:
Works with executive management to determine acceptable levels of risk for the company.
Works with business unit management to ensure that resource owner responsibilities are accepted and appropriately staffed.
Consults with Information Technology management to facilitate selection and use of realistic enforcement mechanisms.
Helps peer managers understand and respond to security audit failures reported by internal and external auditing departments.
Supervises security management staff and security administration staff.
Reviews and approves security policies and resource classification scheme.
Presents security status and project status to executive management and the Board of Directors.
Required skills, experience, and competencies: Bachelor's degree plus six years of information security experience or a minimum of eight years of information security experience. Ability to relate business requirements and risks to technology implementation for security-related issues. Knowledge of risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies, and security attack pathologies. Strong communications and public-speaking abilities. Demonstrated skills in budget management, personnel management, and contention management. Knowledge of current company business functions and operations.
Additional desired qualifications: CISSP or CISA preferred. Knowledge of distributed systems technology and client/server application design is beneficial. Second-level management experience strongly preferred.
Summary: Determines methods of implementing and enforcing security policies. Advises resource owners on forming appropriate security policies.
Duties and responsibilities:
Identifies existence of securable resources and helps business unit management select appropriate resource owner.
Works with resource owners in business units to determine appropriate security policies for securable resources.
Consults with Information Technology Technical Services staff to evaluate, select, install, and configure hardware and software systems that provide appropriate security functions.
Helps resource owners and Information Technology staff understand and respond to security audit failures reported by internal and external auditing departments. May review operational logs and event console activity to determine cause of security-related events or to identify potential security-related events.
Advises security administration staff on normal and exception processing of security authorization requests.
Documents security policies; maintains resource classification scheme; and presents information on security status, project status, and security training to audiences from top executive level to field staff as appropriate.
Required skills, experience, and competencies: Bachelor's degree plus three years of information security experience or a minimum of five years of information security experience. Ability to relate business requirements and risks to technology implementation for security-related issues. Knowledge of risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies, and security attack pathologies. Strong communications and public-speaking abilities.
Additional desired qualifications: CISSP or CISA preferred. Knowledge of distributed systems technology and client/server application design is beneficial. Experience as an IT auditor is highly valuable.
Summary: Ensures the currency and accuracy of all authentication and authorization management systems.
Duties and responsibilities:
Accepts requests for change in authentication and authorization systems. Validates requestor and determines authorization of requestor.
Modifies authentication and authorization systems to match change requests.
Helps security managers determine "reasonableness" of policies requested by resource owners. Defines process for implementing new policies.
Identifies unauthorized changes to authentication and authorization systems and notifies Director of Security.
Required skills, experience, and competencies: Two-year college degree and two years' experience in office administration environment. Ability to see patterns and identify exceptions. Strong telephone and communications skills.
Additional desired qualifications: Knowledge of security procedures and technology. Understanding of audit processes.
Centralizing and Decentralizing Security Functions
Frequently, security administration is centrally managed and located. Many other systems management disciplines are becoming more centralized, as skill shortages and economies of scale dominate organizational decisions. Security administration does not follow this pattern. Instead, the trend is toward further distribution of the responsibility to lines of business. This trend will accelerate as vendors deliver better tools.
The authority exercised by a security administrator in assigning roles and rights to individuals is a direct expression of the policies set by resource owners under the guidance of, and perhaps as executed by, the security manager. Basic security and audit rules require that some degree of separation exist within this triumvirate. As previously stated, the resource owners should be local tothat is, report withinthe business units. As long as this condition is met, either but not both security administration or security management can also report within the business unit.
Consistent policy is also an audit requirement. Because security management staff manages policy, the security managers must be centralized. A new generation of tools that provide consistent policy enforcement through a delegation of administration mechanism makes possible the distribution of security administration.
Unfortunately, many organizations have achieved fully distributed security administration without the tools to enforce consistent policy and reduce administrative duplication. As a result, the least-secure system at the least-secure site is the hacker's port of entry into the entire enterprise's computing environment.
Centralized security management maintains effectiveness by controlling tools that provide delegation management and through internal audit procedures. The auditing process comprises three separate activities:
- Static policy audit
- Real-time event detection
- Attack simulation
Chapter 9 describes the tools to support all these activities.