Note: what follows was a document I prepared for my Syracuse University class, I would be interested in any feedback on its contents either in the comments section or sending me an email at dmintz@ourownlittlecorner.com. Thaanks.
One of the first discussion topics for our class dealt with an excerpt from one of our textbooks relating to where the security function should report within an organization.
The excerpt said “In these cases, the information security manager generally reports directly or indirectly to the CIO but in some cases may report to the CFO or, unfortunately, even to Operations.”
I was interested in getting each of your reactions to this quote and perhaps comment about the value of having security report to the CIO, to the CFO, or to Operations Management. Further, it was reasonable to suggest still other possible reporting relationships for the security operation. Each has advantages and disadvantages, which we will come back to a few times during the course of the class and which I expect each of you to comment on in your Final Paper.
Based on some of the responses, I thought it would be useful to talk a bit about organizational implications in general and provide some lessons learned from my time at the US Department of Transportation.
Organizational Implications
This will not be an exhaustive review of Organizational Theory and its implications, a topic worth a number of classes all by itself. Instead I would like to touch on three topics that relates a bit more directly to the question posed by the excerpt.
Signals Importance
How a senior manager, or any manger for that matter organizes their direct reporting structure sends a signal to people above and below them in the organization as well as to the internal and external stakeholders of the organization.
By signal I mean that the manager is indicating what they feel is most important to them, the functions that directly report, and those they feel relate to each other, how sub-functions are grouped together.
For example, let’s look at the options that the excerpt presented. If the security manager reported to the CIO, then one thing that is being said is that it is the CIO who owns information security. Either this means that security is not important enough to report directly to senior corporate management or is so intertwined with the other CIO responsibilities that it cannot be separately dealt with.
If the security function reports to the CFO, this may convey a number of different messages. It might mean that financial loss is the major implication of bad security. If the CFO also has general oversight responsibilities, this may imply that the security manager has more of an oversight role and that operational security responsibilities exist elsewhere within the organization, perhaps in operations.
If the security function reports to Operations, one of the unfortunate messages that is being sent is that operational requirements dominate security thinking. Typically this occurs when the focus of security is largely technical in nature, how to implement security. Oversight, that is, checking to see if the security is actually working tends to be under resourced.
At the Department of Transportation, the CIO reported to the Office of the Secretary, the information security officer reported to the CIO. As the CIO I was the person responsible for approving and implementing security policies. As much as possible, I made the information security officer visible to senior management, but there was never any question that I was held responsible in the end.
Making Decisions
One of the most, if not the most, critical resource we need to manage is time. We make decisions every day regarding where we spend our time.
These decisions impact what topics we become more aware of and which we do not. People who work with us, for us, or for whom we work, over time will notice which topics are the ones we are most interested in. If our focus or opinion is important to them, that focus will impact what they pay attention to also with their limited time.
While I was at the Department of Transportation I got into an argument with a senior manager from the Office of Management of Budget, OMB, which reports to/is part of the White House. OMB is responsible for approving budgets for all of the Federal Government, the B in OMB, and setting management policies for all of the Federal Government, the M in OMB. I will note that the B part has typically been more important and had greater impact than the M part.
This person’s contention was that as long as sufficiently robust goals and associated measurements were established that it wasn’t really critical whether someone, in this case CIO’s, reported to the senior management of their Department or Agency, referred to in Federal speak as D/A’s, or to an intermediate manager. In my case the options were to report to the Office of the Secretary of Transportation, that is the Secretary or Deputy Secretary who typically acted as a team or to one of the direct reports to the Office of the Secretary. With clear goals and clear measurements, the CIO would know what they needed to do and how they would be judged.
I disagreed, perhaps partially because I reported to the Office of the Secretary and liked that reporting relationship. My reasoning was that the real issue was whether the ultimately decision maker understood ME enough and my issues, not whether I understood them. If the Deputy Secretary, for example, didn’t see me on a regular basis he, or she, would be less likely to know when to listen to my request for resources or support. They wouldn’t know how to judge how important my request was compared to other requests coming from different parts of the Department.
What Are the Security Function Responsibilities?
Security includes a number of responsibilities. These may be operational, keeping information and systems safe. They may be oversight, measuring how well security is being implemented. They may be policy related, the major focus of this class, which includes defining the rules that the employees and other external stakeholders are to follow when accessing or using the information assets of the organization.
Combining these all into one organization simplifies management a great deal but brings up a number of difficulties. Typically combining operational security with policy security leads to the policy part getting little attention. Tactical requirements always come first since they impact the day-to-day operations of the company. Justifying the overhead investment needed to do both is hard. Also having the oversight function combined with the implementation function can be dangerous. It can be difficult for oversight to work well when the people they are reviewing are part of the same organization.
I will provide a separate document describing how this worked at the Department of Transportation and some of the issues I wrestled with.
Summary
The important message that I would like to convey here is that it is important to not just think about the security function when thinking about its organizational implications. Too often security personnel are completely focused on operational problems or technical issues relating to implementation. This is understandable since normally the responsibilities of the position are much greater than the resources devoted to it; and also because the ability to completely protect systems is very limited so it seems we are continually with breeches.
In particular security management needs to take a broader perspective. In addition to looking downward and worrying about tactics and security implementation, security management needs to look upward in the organization and understand the goals of the company and the goals of their immediate and next level management.
Security requirements need to be articulated in the context of those corporate and senior management goals. This requires you, if you are that manager, to understand those goals well enough to map them into your requirements and plans. If you cannot explain the relationship then getting good decisions will depend on them taking the time to figure those relationships out. Generally that is not a smart approach.
Comments
One response to “SOME THOUGHTS ABOUT ORGANIZATION STRUCTURE”
As CIO for the FAA Air Traffic Operation, this was a major issue and still is today. Security in my opinion, should report to the CIO. The CIO should be at the board level as was your position and the FAA position (but not the ATO structure). Security – strategy (policy) and operations (implementation) are and must be linked. When security is separate from the operation , the tendency is to put security on such a pedestal that one forgets that secure operations is the organizational goal. Security and operations is a balance game. Operational expediency and security are always at odds. I found that making operations and security have the same (ie- shared goals) I achieved a better result. Many times security was advising to shut the system or parts of it down; operations’ goal was to keep as much of it working despite the security threat. When focused together – they collaboratively worked on strategies that reduced the impact of the threat and optimized the secure availability of the organization. Together, operations and security worked to formulate policy – ie strategy that cold be implemented on a day to day basis without detracting form the overall CIO objectives. Finance is not he place to ever put your IT elements – unless the IT is your business as it will take a back seat to a myriad of other issues. When everything becomes a dollars and cents discussion, portals, OS considerations, Blackberries and the like would never be implemented until they are passe technologies because determining the future value and operational impacts are too much an art rather than a simple mathematical formula.