Strategy & Architecture Governance across Security, Technology and Commercial domains - Part 1

This is the first of two articles written trying to dig into the complex matter of how to govern the various aspects of security in a complex organizations.

For a security strategy to be effective, it must be delivered on, and to be delivered, the security strategy needs to be aligned with business strategy and distributed to different functions of the organization for execution. Since the different functional units all have their own primary functions, it is critical that they are aligned and coordinated in delivering security into their respective areas, this is where the aspect of security governance comes into play.

NIST describes governance as: “the process of establishing and maintaining a framework to provide assurance that security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk”

Security governance consists of determining whom within an organization, which will be responsible for what. Information is required to flow between both the strategy, tactical and operational levels. Each level of governance within the organization should be associated with a specific set of responsibilities and formalized decisions bodies established with the right people being assigned to them. The most important aspects of the governance structure is that it is established, with definition of roles, assigned responsibilities, accountability.

Security Governance decision bodies and forums

To have governance of the security strategy and the architecture through its entire lifecycle there should be an established process and forums where to develop, control and manage the different aspects and levels of the security strategy. Formal decision bodies is required to be established at each organization level with a clear mandate to execute on their assigned roles.

The different levels of the organization have different interests and views thing based on their primarily role. The board of directors are typically entirely business oriented, while the engineering teams at the working level of the organization are typically more detailed and technology oriented. The architects and the technology leaders in the middle layer need to work as “translators” mapping the business requirements from the executive and senior management into technology and security related strategies that can be handed over to the operational level. It is important that these key people can speak both the business language of the management as well as the tribal language of the technical and security subject matter experts and thus act as a bridge between business and technology.

External stakeholders to the organization such as regulatory authorities relate to the executive management which then takes any external relevant requirements into the business strategy and the security objectives so any required mitigation can take place in the other parts of the organization that plans and executes on the strategy. 

Security Governance Ecosystem

The figure above shows the interaction and dependencies between the formalized bodies at the different levels in the organization at strategic and tactical levels as well as the operational units that are responsible for developing the security and technology strategies and architectures at the operational level. The assumption in the model above is that the decision making is centralized, but the execution is distributed across the relevant functions, why the extensive cross communication is required.

Depending on the size of the organization multiple of these functions may be on the same team, or there may be multiple teams of highly competent specialists. Security is all about teamwork and it is not all of the roles and units that perform security related functions which are directly attached to the security functions either. Specialists may be working in the technology domain or be in governance functions outside the environment of operational security but still play a crucial role in maintaining key security related functions across the organization.

Within a large organization, the governance of security functions are usually divided between the strategic level & tactical governance and the operational level which takes care of operations planning and execution as shown in this example with the main 5 relevant entities each and a partial overlap in the middle on the information security and architect functions. At strategic level, it’s the formalized decision bodies in the form of boards with appointed senior or executive managers such as the board of directors, (BOD) , Joint Security Management Board (JSMB) and the architecture review board (ARB).

On the operational level within the organization there are multiple teams with various roles that also needs to interact with each other and all are required to pull in the same direction for an organization’s security posture and incident response capability is to be at sufficient levels. At operational level the Information Security (IS), Architecture & Planning (AP), Operations and maintenance (OAM), security operations (SOC) and sourcing & procurement (SP) units regularly interact with each other.

The governance ecosystem and the relations between the functions require some detailing as to which entity should be responsible for what. The field of security is quite wide and it is important to attach clear roles and responsibilities to clarify which entity is responsible and governs what and the relations and dependencies they may have to the other units, functions and formalized decision bodies.

This concludes the first part of the article, in the second part, the different roles and responsibilities of the various functions will be explained in more detail in the second part.