Security team management: Top 4 findings from discussions with CISOs

Business
What does a “security team” look like, exactly? We talked to CISOs to find out. Our discovery process yielded some interesting findings about the number of teams at each organization, their focus, how new teams are created, and reporting structure.

Most large businesses have a security team. But what, exactly, does that security team look like? How is it structured? To whom do its members report? And is it optimized in each of these respects to maximize the organization’s security posture?

Those were among the questions that IDC recently asked a variety of enterprise security leaders as part of a project to understand approaches to organizing security functions today. What we found was a bit surprising in some ways.

We learned, for example, that very few organizations have just a single security team. Most have several. We also discovered a variety of approaches to organizing reporting structures for security functions.

Keep reading for a look at key findings from our research, along with tips on how CISOs can apply them to enhance the effectiveness of the security personnel they manage.

Finding 1: Few businesses have just one “security team”

Although it’s not uncommon to hear executives use the singular form when referring to a company’s “security team,” every one of the business leaders we interviewed told us that their organization maintains several distinct security teams.

The total number of distinct teams varied somewhat. Some businesses maintain just two or three teams, while others have around a half-dozen.

But what is clear is that for most medium-sized and large organizations today, one security team doesn’t cut it. CISOs should expect to build and manage multiple teams.

Finding 2: Security team focus varies widely

What, exactly, does each security team within an organization do?

The answer, it turns out, varies widely. In general, IDC found that most companies have one team dedicated to basic security operations, like monitoring for and responding to threats. Beyond that, however, the focus of the additional teams was not consistent. Some companies maintain teams dedicated just to managing user identities and access permissions, while others fold that function into the responsibilities of teams with broader purviews. Some have distinct cloud security or application security teams, but that is not always the case. And so on.

For CISOs, the takeaway here seems to be that there is no one-size-fits-all approach to organizing security team responsibilities. Security leaders should feel free to define each team’s purview in whichever way makes the most sense for their organization.

Finding 3: New security challenges lead to new teams

On that note, what makes sense for a given organization when defining each security team’s purview appears to depend, in large part, on which types of security challenges it finds most vexing.

When we asked security leaders which consideration led them to create a new security team – either by building it from scratch or spinning it off from an existing team – the most common answer was that they were struggling with a particular aspect of security, and decided that dedicating a team to solving it was the best solution.

This is why, for example, some CISOs told us they had created teams focused solely on identity and access management (IAM): Trends like multicloud and hybrid cloud had led to an explosion in the complexity of IAM systems and risks, to the point that only a dedicated team could solve them.

When asked whether they worried that creating new teams in response to emerging security trends might lead to an excess number of teams, security leaders generally said this was not a major concern, since they could easily phase out a given team if the security risk it managed ceased to be a major challenge or priority.

Finding 4: Security reporting structures vary widely

In addition to discovering a diverse set of approaches to organizing security teams and functions, our research found a variety of reporting structures for the enterprise security function.

All of the organizations we spoke with have an executive – typically a CISO – who was responsible for overseeing IT security across the company. But the person to whom that executive reported is not consistent. In many cases, CISOs report to a CIO. But at some companies, they report directly to CEOs, legal officers or, in one case, a CFO.

The downstream reporting flow also varied significantly. Some security leaders told us that they maintain “flat” security organizations, with minimal management layers separating security practitioners from the CISO. Others had rigid hierarchies, with a manager overseeing each security team, and directors – who themselves reported to the CISO – overseeing the managers.

When asked why they adopted a certain approach to defining reporting structures, most security leaders cited cultural priorities. Advocates of “flat” teams, for example, mentioned that they believed a lack of hierarchy would help encourage individual contributors to feel empowered and behave proactively when managing security risks – attributes that would ultimately benefit the company as a whole. On the other hand, proponents of hierarchical teams emphasized the importance of having clearly defined roles, responsibilities, and oversights for security teams, lest a threat go undetected because everyone thought it was someone else’s responsibility to find it.

For CISOs, the takeaway would seem to be that, here as well, there is no one-size-fits-all approach to organizing reporting structures, but that overall organizational culture can help determine the best strategy.

Conclusion: The many forms of the modern security teams

Instead of referring to a company’s “security team” as if it’s a singular, generic entity, CISOs and other business leaders should perhaps instead emphasize the diversity of modern security teams. Security organizations can vary widely in form and function – which is a good thing because it allows CISOs to adapt security team structures to fit their businesses’ unique needs and priorities.

Learn more about IDC’s research for technology leaders.

International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the technology markets. IDC is a wholly owned subsidiary of International Data Group (IDG Inc.), the world’s leading tech media, data, and marketing services company. Recently voted Analyst Firm of the Year for the third consecutive time, IDC’s Technology Leader Solutions provide you with expert guidance backed by our industry-leading research and advisory services, robust leadership and development programs, and best-in-class benchmarking and sourcing intelligence data from the industry’s most experienced advisors. Contact us today to learn more.

Christopher Tozzi, an adjunct research advisor for IDC, is senior lecturer in IT and society at Rensselaer Polytechnic Institute. He is also the author of thousands of blog posts and articles for a variety of technology media sites, as well as a number of scholarly publications.

Prior to pivoting to his current focus on researching and writing about technology, Christopher worked full-time as a tenured history professor and as an analyst for a San Francisco Bay area technology startup. He is also a longtime Linux geek, and he has held roles in Linux system administration. This unusual combination of “hard” technical skills with a focus on social and political matters helps Christopher think in unique ways about how technology impacts business and society.