Thursday, December 5, 2019

The Conceptual Problem of Cyber Security Ownership


Effectively securing the IT and information assets of an organization is as much a problem in modeling the right approach as it is in having the right controls and technical solutions in place. 



For instance, wanting to distribute ownership of cyber security across the organization isn’t a technical problem to solve.  It’s a business model problem that begins with a conceptual change that then leads to process change. 


If we want to distribute cyber security ownership, we can conceptually view the relationship of a cyber security team and a cyber program in two ways.


#1 – the cyber security team is the cyber program.

#2 –the cyber security team is only one part of a larger cyber program 


If your organization’s conceptual model is that the cyber security team is “cyber” and everyone else is “something else”, then the subsequent messaging that results from that model might have a negative impacts on other teams.


Outsiders. Opponents. 


If an organization views and constantly communicates their cyber security program as a conceptual entity larger than their cyber security team, they then have the ability to distribute aspects of that program to others in a way that makes sense. The goal being a desire for a shared outcome.


Teammates. Partners. 


In my current organization, the distribution split is that the security team owns defining the standards, ensures the right instrumentation is in place to observe governance of those standards, and measures the results. The security team acts as the centralized eyes across all business processes.  Execution against those standards is owned by the team owning the business process.  Those teams each act as the hands within their organic ownership areas.


Since the easily digestable metaphor for execs to understand involves eyes and hands, we call our approach, “eyes on, hands off.


The approach is possible because our conceptual model puts all of the activity under the cyber security program regardless of how the work is distributed. Frequent engagement between teams ensures standards alignment and governance around execution. 


Conceptual model => supporting process => standards => execution => measurement => engagement


The successful outcome began with changing the conceptual model. 

This post is part 1. Part 2 is “The Engagement Problem of Cyber Security Ownership.”


Like what you've read enough to follow me on Twitter? Just click the follow button here: @Opinionatedsec1.


SEE ALSO





No comments:

Post a Comment