Re: CISO/Security Team roles and functions

[Pierre Cadieux <hobbit () theshire com>]

It can be difficult to change an organization structure that exists, and 
sometimes it can be completely impossible.  If you can get visibility 
and/or direct communication between senior executives and security, then 
it doesn't matter as much the reporting order.  I would look for a title 
that in your organization matches the peers you would be working with 
(in many U.S. companies this would be a Director title, or V.P. title, 
or Architect.

Results are more important than title or organization structure :) best 
of luck!

->Pierre

WALI wrote:
> I am facing a related issue of roles and job responsibilities. 
> Security Analyst though reports to a non-IT Executive VP role but so 
> does, a database administrator, a software quality assurance personnel 
> and IT manager(s).
>
> Is this a correct organisational structure?
> Can DB Admin and QA function be made reporting to Security Analyst?
> If this senior security analyst has to hire a few helping hands, what 
> are the usual 'job titles'?
>
> It's still a one man shop being asked to expand into a department. If 
> security analyst has to ask for a change in the job title in the 
> expanded scheme of things but is still not ready for 'CSO / CISO yet', 
> would IT security architect, IT security engineer be more appropriate?
>
> ----- Original Message ----- From: <amatachick () gmail com>
> To: <security-basics () securityfocus com>
> Sent: Tuesday, February 05, 2008 1:02 AM
> Subject: Re: CISO/Security Team roles and functions
>
>
> > This is an issue I've run into on every Information Security job. 
> > Sometimes Information Security takes care of the firewalls and IDSs 
> > and sometimes that job goes to the Network Administrators. I've 
> > worked in both environments. I have to say from personal experience 
> > the later is much more common, especially when you get to a 
> > management level. I am fine with it being either way as long as 
> > Information Security can fully, and without the Network 
> > Administrator's prior knowledge, audit the Firewall and IDS 
> > configurations and logs. I don't believe that separation of duties 
> > and responsibilities applies so much in this scenario as in the 
> > bigger picture.
> >
> >
> > I've run into the most issue with segregation of duties and 
> > responsibilities at the departmental level. The key question being, 
> > who does Information Security report to? I, personally, don't think 
> > it should be Information Technology. I feel that Information Security 
> > should really be its own department or at the least report to 
> > compliance or legal departments.
> >
> >
> > To be succinct, I believe it is the job of Information Security to 
> > ensure and/or report incidents, non-compliance to policies and 
> > procedures, firewalls and IDSs are functioning properly, and conduct 
> > audits/assessments.