Security Organization (SEO)

IT infrastructure of an organization is undergoing different transformations that are driven by changing business needs, and varied trends in the characteristics of the infrastructure itself. Alongside, it unfolds various security challenges that need close attention of the executive management. Executive management of an organization, hence, entrusts the responsibility of security management on the ‘Security Organization’. The responsibilities of, and the extent of the role of Security Organization are expanding; crossing the traditionally defined boundaries of IT, and covering all horizontal and vertical functions of an organization.


Historically, with due importance given to technology risk management, Security Organization has been seen as a part of the IT organization. However, with changing time, it has been felt that there are many more elements that need attention of the Security Organization, which fall outside the boundaries of IT. Security also needs organization wide efforts that bring different functions together, a communicative behavior that spreads awareness and seeks cooperation, a level of coordination while managing security affairs, and an integrated approach while analyzing and solving the problems. Positioning of the Security Organization matters a lot for its effectiveness. It has been advocated that the Security Organization has to be independent of IT Organization, and perhaps report into the CEO. DSF considers that the Security Organization (SEO) is an important facilitator for achieving a high SEO.

  • Identify all the activities, functions and operations that are attributed to security or require analysis from security perspective
  • Create an inventory of roles that are responsible, accountable and informed for these activities, functions and operations
  • Identify the hierarchical positioning of these roles and their reporting structure in order to draw a structure of the security organization * Create a map of security functions, activities and operations that are managed centrally and distributed across organization’s geographies and units
  • Identify the elements that help central security organization to establish controls over security in distributed environments and geographies
  • Evaluate the characteristics and extent of security activities or responsibilities that are being carried at the corporate management function of an organization
  • Identify the involvement and contribution of Lines-of-Business (LOBs) in security from all perspectives
  • Identify the ownership pattern for security related matters
  • Create an inventory of security related tasks and operations that fall into categories such as implementation, administration and maintenance
  • Create an inventory of security operations that fall into categories such as vulnerability scanning, threat management, security monitoring and incident management
  • Identify the functions or roles that are responsible for defining and building strategic elements for security
  • Identify the function or roles that are responsible for managing tactical functions of security
  • Identify relations between security function, IT operations, support groups, Lines-of business units, and corporate management.
  • Identify security communication elements— channels, messages delivery, message contents — that flow between different functions, departments and geographical locations
  • Create an inventory of collaboration mechanisms that exist in an organization including those that are specific to security
  • Categories the activities of CISO in Strategic, Tactical and Operational areas
  • Estimate the efforts required for all security elements that are distributed across the organization
  • Evaluate the actual efforts and resources assigned against the estimations to identify any gaps or disparities. Identify the skill requirements against each type of roles
  • Identify how the security skills development program runs in the organization
  • Identify the current sourcing model. Identify how externally provisioned systems and applications, and how the responsibility and accountability for them is shared with the external providers
  • Create a strategic roadmap for building a responsive, competent and business centric
  • Security Organization that helps an organization efficiently manage the growing complexity of security
  • Ensure that there exists visibility over all security activities, functions and operations
  • Ensure that the roles and responsibilities for all identified security activities, functions and operations have been properly defined
  • Ensure that there exists a proper structure for Security Organization
  • Ensure that the corporate function of an organization takes strategic responsibility of security
  • Ensure that the Lines-of-Business units are involved in security of IT assets that are serving their business applications
  • Ensure that the administrative tasks of security device and solution management such as implementation, operation and maintenance reside with IT. And, tasks such as security monitoring, vulnerability assessment, security incident management that need segregation reside with IT Security Operation
  • Ensure that the corporate security function, business security function, IT operations and IT security operations are collaborate with each other and overarching governance processes integrates them
  • Ensure that the reporting of security function aligns with the evolving trends
  • Ensure that the Security Organization spans across strategic, tactical and operational layers of an organization
  • Ensure that there exists a working relationship between Security Organization and all horizontals and verticals of an organization
  • Ensure that there exists a centralized control over the security initiatives of an organization
  • Ensure that the CISO is involved in the business decision making process
  • Ensure that the Security Organization is involved in the operational tasks like business application sourcing and procurement, architecting IT infrastructure, acquisition of underlying IT systems, availing third-party or externally provisioned systems and application, contracting with external service providers, and IT infrastructure upgrade
  • Ensure that a significant level of Information flow between different security functions
  • Ensure that the Security Organization plays an active role in IT Infrastructure Management processes in order to gain assurance over the IT operations
  • Ensure that the Security Organization shares the responsibility of security of outsourced service providers, vendors and externally provisioned systems and applications
  • Ensure that there exist mechanisms that facilitate coordination and collaboration for security
  • Ensure that the CISO engages more in communicative, collaborative and integrative activities, and he or she is free from the day-to-day operations
  • Ensure that the CISO posses skills more in managerial nature and is projected as a business leader or a strategist
  • Ensure that adequate skills are deployed to cater to the efforts required for execution of all security activities, functions and operations
  • Ensure that the security roles and responsibilities keep pace with changing nature of security challenges
  • Ensure that there exists a skill upgradation program that continuously tracks skill requirements to manage the perennial and evolving security challenges
  • Ensure that the Security Organization maintains an adequate level of security intelligence that manages security functions effectively and brings swiftness in the response to incidents
  • Visibility over the activities, functions and operations that are attributed to security or significant from the security perspective
  • Distribution of the Security Function at the organizational units and layers
  • Strategic Positioning of the Security Organization
  • Elevation of CISO’s responsibilities and skills
  • Alignment to business objectives
  • Clarity in roles and responsibilities
  • Balancing the Security Operational between IT and IT security
  • Level of collaboration between different functions
  • Adequacy of skills and resources
  • Proportionality of skills distribution to requirements and challenges

Please allow pop-up in your internet browser to download DSF


DSCI Security Framework