Organizing security: Roles and responsibilities
Making computer systems secure requires a variety of skills. It is common business practice to organize a complex set of tasks along required skills. Unfortunately, many large IT organizations organize around technologies. Computer security, which should be more business oriented than technology driven, is easier to achieve if we follow good business practice.
Advice for a Small Business
Small companies need to make their computers secure using staff who have a long list of other responsibilities. But it can be useful to understand the various roles involved in securing computers in large companies.
Common computer security-related roles are shown in Table 11. A single person may perform multiple roles if they require similar skills.
One of the basic security principles is separation of powers: One group of people or managers should not be allowed both to set the rules and to manage compliance to the rules. If all of the functions listed above were placed with a single person or organization, there would be no separation. Even placing them all within the IT division would be much too close. A few of the roles are easy to see as being fully separated from IT. The internal auditor and the resource owner are the first two to be handed to other managers.
Table 11 Common Security-Related Roles
Within IT, it is important that the roles associated with security policy formation (officer and manager) be isolated from those concerned with the deployment of enforcement mechanisms (network and system staff). Two roles, security operator and forensic analyst, are relatively recent additions. As tools for monitoring policy compliance have matured, these roles have developed to operate the tools via security consoles, to analyze the information that these tools provide, and to enable recovery from successful security attacks.
Fitting all of these roles into an organizational structure results in two common solutions, depending on one outside influence: the government. Some industries are subject to computer security regulations. Health care, financial services, and state and federal agencies need to organize computer security as a parallel organization to IT. Typically, the CSO reports to a regulatory and compliance executive who has a legal background. In other industries, the CSO (sometimes referred to as the Chief Information Security Officer, or CISO) reports to the corporate Chief Information Officer (CIO), in parallel withand at the same level asthe head of IT.
In organizations that have done a poor job of implementing computer security, there is no CSO or CISO, and computer security functions are handled by technicians buried within the IT organization. This approach to computer security is rapidly waning in publicly traded companies, due to extreme pressure from external auditors and federal government agencies responsible for critical infrastructure protection.
Advice for a Small Business
Smaller companies do not create "officer"-level positions. In this case, it is important to separate the policy and execution roles as much as possible. Although an IT departmentno matter how smallmay retain all responsibility for configuring, installing, and maintaining the computer equipment, security policy, which governs many details of those tasks, should be assigned outside of IT.