Organize or reorganize the security sector of a large company – Feedback
Nostalgia, nostalgia… remember security organizations 20 years ago. It couldn’t be simpler! The “typical” team was made up of about fifteen people in the ISD operations, all of them passionate about technology: it caused a lot of VLAN, Internet filtering, anti-virus comparison… Attacks were still rare, pressure from regulators was limited, top management had no control over anything… in short, CISO had royal peace of mind! Admittedly, the first reflections on the positioning of CISO in the organisation were beginning to emerge (balance of power with the CIO, closer ties with the Risk Department, etc.) but these expert discussions were still very confidential.
20 years later… the situation is totally different and security has taken on a whole new dimension in companies. The figures speak for themselves: in France, there is an average of 1 security FTE per 500 to 3,000 employees, with an average of around 1 per 1,000. Some financial players can even reach record ratios of 1 per 200 by integrating the different lines of defence. I’ll let you do the math: this quickly represents several hundred, even thousands of employees! ISSM are therefore now in charge of a plethoric and highly diversified workforce. The historical experts have been joined in recent years by loads of Project Managers, PMO, COO, Program Managers, and even sometimes by specialized buyers and HR, who are gradually learning to work together. Like a sports coach, the CISO now has to deal with such a workforce and find the right organization, the right game system to get results.
NO REVOLUTION, THE FUNCTIONAL SECTOR REMAINS THE NORM
The reasons for reorganizing are always broadly the same: lack of control, a feeling of inefficiency, diffuse responsibilities… and the work involved in reorganizing can seem colossal. This leads some CISO to very quickly consider disruptive solutions, and in particular the idea of grouping all security resources into a single, hierarchical team. Let’s not waste time and let’s be very clear: in 95% of cases, this solution is not chosen. Such a move simply presents too many risks of excluding the security function, which is difficult to reconcile with the need for business proximity for certain activities: support for business projects, raising awareness among specific populations, budget negotiations, etc. The functional channel remains the norm: a central team and relays (local CISO, security correspondents, etc.) spread throughout the organization. However, some industrial players have recently moved towards centralisation, but the move is more motivated by a desire to bring together cybersecurity resources with the security team, which is particularly mature in this sector.
The attachment of the CISO also remains an element of debate, which has been widely relayed and commented on for years. CIO, Risk Management, Financial Management, CEO… it sometimes seems as if it’s a race to see who will be the highest in the hierarchy! But contrary to popular belief, there is not necessarily a trend in the field towards the exit of the IT department. Quite the contrary: 3 out of 4 CISO report to the CIO in large companies and most reorganizations lead to such an affiliation. The reason is simple: it is often an excellent place to be in action, to make progress on issues and to obtain a budget! Warning: for those who decide to be attached to a different department, remember that 80% of a cybersecurity budget falls within the scope of the IT department. It is therefore essential to nurture a quality relationship between the CISO and the CIO. I have witnessed a few power struggles in recent years, and it is rarely the CISO who wins 😉
That’s it… we’ve got the basic principles: a functional network, often attached to the CIO, with CISO in the company’s main areas of activity. The task now is to distribute all the cybersecurity activities within this organization, and there are many of them: policies, studies, awareness-raising, the Cybersecurity Program, project support, audits, SOC, CERT, etc.
BREAKING DOWN SILOS AND SEEKING OPERATIONAL EFFICIENCY
As a service provider, I can testify to this: it is quite common to be solicited several times for the same study within a Key Account, in several different entities. This is quite understandable: in a pipeline model, each entity/country has a safety team, and without clearly established rules of the game, local management often has the reflex to reinforce its team at the slightest need (specific study, audit results, etc.). This is the whole trap of a sector: it has many advantages but creates complexity and redundancies. And believe me, when the Group CISO finds himself explaining to top management why the company has 3 SOC and 4 incident response units… it’s rarely the best meeting of the day ;-).
In order to avoid such situations, the trend is towards the pooling of expertise and the creation of central cybersecurity service offerings. In very concrete terms, this means that many organizations are pooling 1. cybersecurity expertise (studies, innovation, awareness-raising, etc.) 2. Detection and response (SOC, CERT, crisis exercises, Threat Intel, etc.) 3. Audits and controls (slopes, redteam, code analysis, etc.) 4. Project management and PMO (reporting, PMO, communication…). Add a governance and strategy entity, and you are not far from getting the organization chart of many Group CISO! Note that there are alternatives: some organisations opt for a distributed model, consisting of distributing services across entities (for example: the USA is now in charge of the intrusion test service for the entire company), and very large companies often opt for the creation of intermediate Hubs (by region, by business line…) delivering these services. Regardless of the organisation chosen, this consolidation movement is underway: it is estimated that around 40% of the sector’s employees work on activities with a cross-functional scope… and the increase has been exponential in recent years.
This move towards centralisation frees up local teams (CISO or business/country/entity correspondents) who can thus consume services and refocus on activities requiring close proximity to their businesses: risk assessment, integration of security in projects, security revenues, etc. In the security sectors, this is where we still find the bulk of the workforce (easily 30 to 40%)… but this situation is very probably temporary! The widespread use of agile technology has a direct impact on these teams, who find themselves changing jobs from one day to the next because they are projected into the Feature Teams to train, coach and equip “Security Champions” who are gradually gaining in autonomy. Result: local CISO are also industrializing and organizing their teams into service centers for these Feature Teams (development standards, code review, analysis methods…) Follow my eye: the spectre of a single, centralized security team is likely to resurface quite quickly in the debates… and it is the agile transformation that accelerates the process!
IT IS NOW POSSIBLE TO MAKE A CAREER IN A SAFETY FIELD
We have widely commented on this: some security channels have gone from a few dozen people to several hundred or even thousands in the space of a few years. Of course, this requires a bit of organisation… but it is also a great opportunity for all the employees in the sector! Project management, team management, expertise, communication… very few sectors offer such diversity, and the situation is ideal for attracting and retaining talent. I can only recommend that you take advantage of a cyber-security reorganization to highlight this wealth and work on skills management: salary alignment, re/up-skilling, training/certification plans, individual responsibilities, mobility processes… there are many topics to be addressed to boost well-being and enable employees to build a full and rewarding career within the industry!