Should an organization centralize its information security division

Should an organization centralize its information security division? Is your organization capable of having true information security governance? In our expert Q&A, Shon Harris reveals the ideal components of a centralized security team. Security began in the IT department and was viewed specifically as a technical issue. We can label this period. Continue Reading This Article. Enjoy this article as well as all of our content, including E-Guides, news, tips and more. as the "caveman phase." If your organization has its security concerns solely managed by the IT group, then your company needs to evolve. Security management should be moved to a management position, as in a CSO or CISO, and there should be a centralized team that is solely responsible for security practices. Centralization allows security to be looked at as a business issue. Having the security officer in the executive management staff is an advantage. The officer can then understand and mitigate risks using controls that are not solely technology-oriented. Entering more of an "industrial phase," many organizations have recognized that security affects their bottom line, and they have dedicated the necessary funds to reduce the company's risk level. Although "industrial phase" procedures are more effective than those of the "caveman phase," they are not perfect. It is almost impossible for a group of people who are working in a security department to understand and control all the types of threats and risks in the various departments of an organization. Instead, the security group is responsible for writing policies, configuring firewalls and handling intrusion detection, while also rolling out domain group guidelines, information security awareness training, incident handling and vulnerability management. Different business unit managers, even board members, need to be involved in the security process. Business unit managers should participate in a risk management committee that is led by the security officer. Such a collaborative meeting will allow the security officer and security team to understand a wider range of risks that the company faces. A security steering committee should also be developed to provide oversight and guidance on security matters. The CEO should receive updates on the company's security posture, also ensuring that business unit managers are participating and the security team is getting enough support. In what we call the "enlightenment phase," the security process involves everyone to some degree -- from the board members down to the users. It is only at this phase that we can have true information security governance. Information security governance is a term that refers to all of the tools, personnel, and business processes that ensure an organization's security needs are carried out. The process requires organizational structure, roles and responsibilities, performance measurement, defined tasks and oversight mechanisms. Let's compare two companies in different phases. Company A (in the enlightened phase) has an effective information security governance program in place and Company B (in the industrial phase) does not. To the untrained eye, it appears that Company A and B are equal in their security practices; they both have information security policies, procedures, standards, the same security technology controls (firewalls, IDS, identity management, etc.), and a security team run by a security officer. But if you look closer, you will see the critical differences listed in Table 1.