Organizational Structures
The way an organizational structure evolves over time affects the way people behave. Management must determine the behaviors and values it wants to promote; then it can design an appropriate structure. The organizational structure chosen by management influences how security policies are put in place. It creates complex relationships and personal dynamics between different leaders, layers of approvals, and core values. An organization’s structure reflects the relationship between teams (or departments), their responsibilities, and lines of authority. TABLE 5-1 highlights some common types of stakeholders. It is not an exhaustive list. The list of stakeholders will vary depending on the policy being implemented. For example, data center security policies will typically include physical security. Consequently, data center security policies will include building managers to ensure all doors are secure and cameras are well placed. But Table 5-1 does illustrate the broad and competing interests that must be addressed when implementing a security policy.
| STAKEHOLDERS | KEY FOCUS AREAS |
|---|---|
| Lines of business | Timely delivery of high-quality products and services at competitive prices |
| Information security | Protection of the company and the customer |
| Compliance | Compliance with laws and regulations |
| Operational risk | Keeping operations within risk tolerances |
| IT architects | Setting of technical standards |
| IT developers | Building solutions to meet business and technical standards |
| IT operations | Operationalizing |
| Audit | Effective comprehensive assurance policies |
| Finance | Effectively managed budgets |
| Human resources | Hiring, management practices, and related activities |
| Executives | The leadership that ultimately approves all business decisions or approves which subordinate can make such decisions |
An organizational structure clearly indicates who’s in charge and who reports to whom. FIGURE 5-2 depicts a typical U.S. company organizational chart. You can learn a lot from an organizational structure. In this example, notice two lines of business. Assume that these businesses are distinct enough that they require a separate focus and leadership. This could be because the products are distinctive or because the customer base has unique needs. For example, a bank typically separates its retail banking functions (including services such as personal checking accounts and lines of credit) from its commercial banking (business loans and checking accounts, among other services). Although both are banking functions, the products, customers, and regulations can be very different.
FIGURE 5-2 Typical organizational chart.
The key point is that an organizational structure provides insight into leadership’s perspective on the business and the types of challenges faced. You also get a sense of priorities. You can see in Figure 5-2 that the business has decided to centralize the information technology (IT) function. This is typically called shared services. This term relates to a department or team that provides similar services across an entire organization. By centralizing services, a business can reduce operating costs. For example, rather than building two almost identical data centers to service two business lines, both can share the same data center operated by the IT department. Within the IT department’s structure, you find a further breakdown on how services are provided to the two lines of business. Also notice how some departments report directly to the office of the president. This gives them greater influence and perceived authority.
TIP
Consider the regulatory mandates, too, when understanding organizational influences. The higher the reporting of information security issues, the more influence. For example, the Gramm-Leach-Bliley Act (GLBA) requires the board of directors of an organization to be briefed on information security programs. GLBA requires many other things of corporate boards as well, but the point is that regulations requiring senior leadership engagement create visibility and opportunity to advocate for information security.
Let’s examine how these dynamics influence the implementation of security policies. Assume the chief information security officer (CISO) reports directly to the chief finance officer (CFO), as shown in FIGURE 5-3. The CFO’s role is traditionally a powerful position. Consequently, it’s more likely that information security is perceived as a business concern rather than solely a technology issue. This allows information security policies to be given a higher priority across the enterprise.
FIGURE 5-3 CISO reporting directly to CFO.
Conversely, let’s assume the CISO role reports three or four layers deep inside the IT department, as shown in FIGURE 5-4. The CISO would not have the organizational muscle to implement security policies with the same perceived influence or authority. This does not mean security policies couldn’t be implemented effectively. The difference would be the approach used given the organizational realities. In this case, the CISO would most likely seek greater executive involvement rather than relying on the CFO’s influence and authority.
FIGURE 5-4 CISO organizational chart—CISO role appears several layers deep.
Ultimately, an organization has to determine how it wants to manage the division of labor and span of control. The division of labor means how you group various tasks. It’s sometimes more effective to divide tasks into specialties. This way, the depth and quality are higher. As more tasks are divided into separate jobs, more specialties are created. As more specialties are created, more teams are formed. The result is the organization grows, along with operating costs. Employees are the most valuable resources, but they are also expensive. They require salaries, training, supplies, facilities, benefits, and leadership support. An organization needs to divide labor in a way that yields quality and keeps it competitive while controlling operating costs.
FYI
The larger the organization, the more diverse a set of relationships will exist within it. This means potentially more stakeholders will need to be engaged. It is important to understand that the stakeholders in this matrix are not just communicating with the security team, but also with each other. This is why transparency is a necessary part of the policy implementation process. The interaction of leadership and the different personalities can significantly impact a policy deployment. The more you can create a unified view, the greater the likelihood of success.
Another consideration is span of control, which relates to the number of layers and number of direct reports found in an organization. The span of control widens when a leader has many direct reports. This tends to flatten an organization. This is called a flat organizational structure. When the span of control widens, the leader is less connected to the details of what’s going on. If a leader has to deal with a dozen direct reports, for example, it’s doubtful he or she would have time to address many details. The leader would tend to focus on the big picture and the big risks.
There’s no magic rule on the right number of direct reports. The appropriate span of control depends on the nature of the business, complexity of the issues, and number of problems needing the leader’s attention. As the span narrows, the organization gains layers. This is called a hierarchical organizational structure. More layers tend to make an organization bureaucratic. Hierarchical organizations are necessary. They allow specialties to thrive and produce high-quality products and services.
Having multiple layers isn’t necessarily bad. There needs to be separation, though, not just for efficiency, but also to create segregation of duties. Segregation of duties (SOD), also referred to as separation of duties, refers to a requirement that a task be performed by more than one person. This approach is often used to prevent fraud and reduce errors. The point is to create the minimum number of organizational layers needed to achieve a specific business purpose. An organization can have an overall hierarchical structure with pockets of flat organizational structure for specific teams and departments. An example of SOD would be to separate the ability to set up a new vendor account and ability to authorize payment to a vendor. The ability both to set up and to authorize a vendor creates an opportunity for fraud. The SOD controls reduce the likelihood that a fake vendor is set up and paid.
The difference between a flat and hierarchical organization is relative to its size and business model. Figure 5-2 indicates that an organization can be perceived as either flat or hierarchical. To understand the difference, you need to understand the number of layers between managers controlling the business and workers delivering products and services. For example, assume Figure 5-2 represents a carpet cleaning business with 20 workers. The two lines of business could be commercial and residential customers. The organization could be perceived as hierarchical. This is because the number of layers between the president of the company and workers could be perceived as excessive. Given the size and complexity of the business, one would expect a much smaller and flatter organization. Yet the same figure when applied to a larger business would be relatively flat. For example, assume Figure 5-2 represents a major domestic bank that offers retail banking and credit cards as lines of business. A major bank could have tens of thousands of employees. Yet Figure 5-2 reflects a relatively flat organization.
Flat Organizations
In a flat organization, the leaders are close to the workers that deliver products and services. A flat organization is generally defined as one with a limited number of organizational layers between the top and bottom ranks. As a result, leaders know their customers’ and employees’ needs and problems firsthand. This tends to produce faster decisions and more confidence to innovate. The right leader within this type of structure can be inspiring. This structure gives the leader the ability to connect with the workers and build trust.
In a flat organization, leaders can bring their knowledge about customers and products to the creation and implementation of security policies. Security policies are not abstract concepts in a flat organization. They are seen through the lenses of individuals directly accountable for the delivery of product and services. In a hierarchical organization, leaders are also responsible for product and services; however, the accountability is indirect through several layers of leadership. Having firsthand knowledge of the company’s products and services is always valuable in implementing security policies.
Flat organizations often have decentralized authorities. This can quickly become a negative for flat organizations when the span of control becomes too wide. With wide span of control, there is no time to bring every problem to management for resolution. In some ways, you need higher caliber teams that feel comfortable making independent decisions. Yet these decisions can lead to problems, especially when dealing with information security. Some problems include conflicting statements to regulators by the subordinate and senior leadership. It’s important when defining security policy in a flat organization to decide clearly how issues are to be identified, catalogued, debated, and escalated. This includes clarity about who has the authority to speak to and present the full risk story to the regulator.
Hierarchical Organizations
For large organizations, hierarchical models are a necessity. The complexity required to keep a large organization running effectively requires a hierarchy of specialties. This means senior leaders are more detached from day-to-day operations. Can the same tone at the top be sent to all employees in a hierarchical organization? Yes, but it’s more difficult than in a flat organization. The dynamics are different in a hierarchical organization.
Consider a help desk worker in an organization with 10,000 employees. The help desk worker is engaged with management within the team and department. Receiving a message on the importance of information security from the president of the company may have far less impact in a hierarchical organization. The message must still be sent, but it needs to be reinforced throughout the layers.
FYI
When rolling out information security policies, make communications a priority. Be sure your approach includes these points:
- Be clear—Avoid technical jargon when possible.
- Set the tone at the top—Ask your leaders to help deliver the message.
- Use many channels—Reinforce the message as many times as possible.
- Be forthcoming—Be honest and candid about any impact the policy will have.
- Say “thank you”—Acknowledge the efforts both to create and to implement the security policies.
This list is not exhaustive, but it highlights key points.
To be successful in implementing security policies in a large organization, you must continually sell the message at each layer. You must build support at the top, middle, and bottom ranks. You must choreograph the review, approval, and release process so you continue to be part of the messaging. Remember, the message can change as it moves through the layers of the organization. For example, when dealing with senior leaders, a core part of the message could be cost avoidance and reduction in operating risks. Messages to other layers might have greater emphasis on regulatory compliance or meeting customer expectations of privacy. It’s important to tailor the benefit message to resonate with the audience. If workers can connect with the importance and priority, they are more likely to follow the policy.
Advantages of a Hierarchical Model
There are some distinct advantages to a hierarchical model. The importance of specialization has been discussed. In a hierarchical model, communication lines are more clearly defined. When you encounter a problem, there is most likely a group that specializes in that area that can help solve it. The depth of knowledge in a subject area tends to be greater. This allows managers to predict and avoid problems before they occur.
Managers can also create “centers of excellence.” These are small, specialized teams that focus on specific problems within an organization to help provide high-quality products and services. Large organizations often have teams dedicated to identifying the next big threat. These teams examine industry breaches and analyze if the company would be vulnerable to those types of attacks. In a small, flat organization, these specialties and skills may not be available.
Disadvantages of a Hierarchical Model
There are also some disadvantages in a hierarchical model. One such disadvantage is accountability. A hierarchical model relies on work passing between a number of teams to ultimately produce a product or service. A communications breakdown between these groups could cause errors or delays.
Accountability could also be a problem. When many component teams are involved, whose fault is it if something doesn’t work? This becomes even more difficult when teams cross organizational boundaries such as between large departments.
There’s no one structure that fits all organizations. The right type of structure for an organization depends on multiple factors, such as the organization’s goal and the individual styles of its managers. A mature organization, moreover, may tend to be more hierarchical than flat. And an individual manager may be more comfortable establishing layers of controls, leading to a more hierarchical rather than flat organization.
WARNING
The larger the organization, the faster it can grow. For example, the more teams involved in producing a product or service, the more teams will be needed to coordinate their activity. It’s important that an organization does not grow for the sake of growth. It’s especially important that security policies keep pace with organization growth, which drives a greater exchange of information sharing.
In the end, it’s people within the organization who will make the implementation of security policies and controls successful. How they are motivated to adopt the security principles within these policies indicates how easily you can introduce change. The inherent disadvantage of a hierarchical model is the number of touch points and personalities that must be engaged to successfully implement a security policy. As the number of touch points increases, the number of complex matrix relationships also increases. Matrix relationships are the complex relationships between stakeholders. For example, a line of business and data center operations may be two stakeholders. The relationships involved in discussing a proposed policy might be between the security team and the line of business, the security team and data center operations, and data center operations and the line of business. Conversations also get more complex as these discussions occur lower in the organizations. Conversations and relationships between senior leaders would be different from those at a staff level. The point here is that you should expect that a complex set of relationships will influence and drive policy conversations. Successful implementation of security policies will depend on how well you can navigate these people issues.