Effectively securing the IT and information assets of an
organization is as much a problem in modeling the right approach as it is in having the right
controls and technical solutions in place.
For instance, wanting to distribute ownership of cyber security
across the organization isn’t a technical problem to solve. It’s a business model problem that begins with
a conceptual change that then leads to process change.
If we want to distribute cyber security ownership, we can conceptually view the relationship of a cyber
security team and a cyber program in two ways.
#1 – the cyber security team is the cyber program.
#2 –the cyber security team is only one part of a larger
cyber program
If your organization’s conceptual model is that the cyber
security team is “cyber” and everyone else is “something else”, then the
subsequent messaging that results from that model might have a negative impacts
on other teams.
Outsiders. Opponents.
If an organization views and constantly communicates their
cyber security program as a conceptual entity larger than their cyber security
team, they then have the ability to distribute aspects of that program to
others in a way that makes sense. The goal being a desire for a shared outcome.
Teammates. Partners.
In my current organization, the distribution split is that the
security team owns defining the standards, ensures the right instrumentation is
in place to observe governance of those standards, and measures the results. The security team acts as the centralized eyes across all business processes.
Execution against those standards is owned by the team owning the business
process. Those teams each act as the hands within their organic ownership areas.
Since the easily digestable metaphor for execs to understand involves eyes and hands, we call our approach, “eyes
on, hands off.”
The approach is possible because our conceptual model puts
all of the activity under the cyber security program regardless of how the work
is distributed. Frequent engagement between teams ensures standards alignment
and governance around execution.
Conceptual model => supporting process => standards
=> execution => measurement => engagement
The successful outcome began with changing the conceptual model.
This post is part 1. Part 2 is “The Engagement Problem of Cyber Security Ownership.”
This post is part 1. Part 2 is “The Engagement Problem of Cyber Security Ownership.”
Like what you've read enough to follow me on Twitter? Just
click the follow button here: @Opinionatedsec1.
SEE ALSO
No comments:
Post a Comment