Managing the Security Function
The security function involves the continuous evaluation and improvement of security within an organization. Effective management of the security function is critical and requires the implementation of proper security governance.
One of the clearest examples of managing security is conducting a risk assessment to drive security policy. This process ensures that security is measurable and aligned with business objectives. Security metrics should be regularly tracked to assess the effectiveness of countermeasures and to ensure alignment with common security guidelines.
Alignment of Security with Business Strategy
Security management planning is essential for ensuring that security functions are aligned with the organization’s overall strategy, goals, mission, and objectives. This includes designing security policies that account for business cases, budget limitations, and resource constraints.
A common approach in security management is the top-down approach, where senior management initiates and defines security policies. Middle management is responsible for developing these policies into specific standards and guidelines, while operational managers and security professionals implement the configurations. This approach ensures that security is embedded at all levels of the organization.
In contrast, the bottom-up approach, where IT staff make security decisions without senior management input, is rarely used and considered problematic in most organizations.
The Role of Senior Management
Security management is ultimately a responsibility of upper management, not the IT staff. Senior management must approve and support the security policy for it to succeed. Without their approval and commitment, the security policy cannot be effectively implemented.
A well-designed security policy demonstrates due diligence and due care by senior management, which is crucial for protecting the organization from liabilities and negligence.
Types of Security Plans
Effective security management planning involves the development of three types of plans:
- Strategic Plan:
- A long-term plan that defines the organization’s security purpose and aligns with the organization’s goals and mission.
- Typically valid for five years with annual updates.
- Should include a risk assessment.
- Tactical Plan:
- A midterm plan developed to provide details on how to achieve the goals set forth in the strategic plan.
- Useful for about a year and may include project plans, hiring plans, budget plans, and more.
- Operational Plan:
- A short-term plan with detailed steps to accomplish the organization’s goals.
- Valid for a short period and regularly updated (monthly or quarterly).
- Includes resource allocations, budget requirements, staffing assignments, and implementation procedures.
