Home arrow Sections arrow Roles and Responsibilities arrow True Convergence: the Security Coordinator Role 20 November 2008  
Security Process Professional .......... Resources for IT Audit & Security Improvement
HomeSectionsWeb LinksResourcesNews and EventsWho Am IComment
 
True Convergence: the Security Coordinator Role E-mail

What role(s) should ultimately be responsible for security? Should Information Security be merged with Physical Security, thus transferring responsibility for it out of IT? What about Security Awareness, Policy Management, Incident Handling? True convergence is more than just passing the hot potato around...

As it is currently used, "convergence" represents the merging of physical and information security responsibility. There are good reasons to centralize your security policy management but there is no good reason to transfer responsibility and accountability out of the departments best equipped to make sound security decisions for their areas. Doing so wil fail by focusing mainly on the location of the responsibility--which is only nominally important--rather than on fully explore the nature of the responsibility of security--which is paramount.

Security is an organizational risk responsibility, whose factors for success are multidimensional and cross-disciplinary. Threats cannot be neatly assigned to one division or another in an organization. Therefore, you don't solve the security problem by just shifting fragmented security responsibility around in an organization. You do solve the problem, however, by implementing good security process, which can succeed even in the absence of named security roles. Most security problems stem from having a fractured security model that compartmentalizes security efforts across an organization (which leads to redundant security controls working at cross purposes), one that does not provide effective means for comprehensive security effort coordination (which causes confusion and diversity of perceptions), one that fails to quantify business risk (leading to uninformed business decision making), and fails to measure against clear security objectives (which leaves project and operations groups unable to determine how much security attention and budget should be applied). In other words, the root cause of most security problems is the failure to effectively coordinate security efforts across the entire organization using a comprehensive framework that articulates, validates, and documents organizational security acceptability for every given case.

Companies that assign all security responsibility under one individual in any capacity other than as enterprise coordinator for all organizational security efforts fail to recognize the complexity of the problem and its solution. Ultimately, the single entity named for responsibility and accountability becomes the security “sacrificial lamb, when something goes wrong. Instead what is needed is a "security coordinator" role that is able to pull together subject matter experts on the fly to make enterprise security decisions.

Feasibility of any change to the IT infrastructure should require consideration of audit, legal & regulatory constraints, security policy and procedures, inputs from tactical operations personnel, risk management personnel, and IT management. Without some entity coordinating the process, sound judgments cannot be made as to how much security, optimally, should be built into the system and its supporting processes. A steward of the organizational security vision would be able to negotiate and coordinate required resources from other sectors and determine executive management's security acceptability for any given effort. Such an individual would assure that due diligence is performed for security prior to any significant change of the IT infrastructure. He would coordinate the review of current security policies, processes and procedures and obtain proof that the infrastructure can accommodate change without undermining existing security measures, He would facilitate the real time investigation of changing legal and regulatory issues and threats, would ensure that breach history is reviewed, that business criticality and security levels are not overlooked, and that enterprise programs that relate to security are appropriately updated—those for business continuity, disaster recovery and training.

What characteristics would make a good Security Coordinator? One could argue that, while preferable, the Security Coordinator need not necessarily be a seasoned security specialist. Skills in communication and risk management are at least as important and a mix of these, along with at least a strong overview knowledge of security principles is probably preferable. Other complimentary disciplines include audit and compliance, standards, process analysis, quality assurance and change management.

It makes good sense to consolidate security policy to ensure consistency and compatibility of policies that serve different parts of the organization. But it makes little sense to offload security responsibility and accountability outside of the divisions that know best what is prudent and practical, and are ultimately responsible for implementing security policy. Instead, let’s expand the notion of convergence to encompass the entire security effort—not just those connected to IT and Operations--and place someone at the helm to guide all security efforts across the entire organization.

(c) 2005  Bar Biszick-Lockwood/QualityIT

More Roles & Responsibilities

Home

 
Last Updated ( Wednesday, 23 March 2005 )
 
< Prev
[ Back ]
Top of Page