My organization is in the process of establishing an information Security directorate. I was tasked with proposing an ideal structure for the Information Security function. Currently my proposed design has 2 main components: 1. Security Management (reporting to CISO) 2. Security Technical Operations (reporting to a Senior IT Security Manager) Furthermore, the Security Management functions will lead the security infrastructure, IAM and SOC capabilities and Security Management will drive the implementation of ISMS, Gov, Risk and compliance and Strategy and Policy. Would like to hear what other organization are doing in term of organizing their resources?

3.4k views2 Comments

Sort by:

Deputy CISO2 years ago

Hi, Pl refer to this link Key Findings: Security Organization Structure and Design (gartner.com)
I can discuss more offline.
some think to chew
1) What are your burning priorities and thus the dedicated Lead/team you may need. This monitoring team probably only does this and maybe threat hunting etc
2) You probably need a separate focus on monitoring, a separate one to focus on defense (perimeter, end point)

Vice President2 years ago

Some perspective you might find useful here: https://www.fncyber.com/web-of-trust-article/the-3-must-have-cybersecurity-roles-in-your-organization

Content you might like

Our organization is subject to data retention requirements over very long periods (50 years or more). Do your organizations face similar constraints? If so, what long-term retention strategy have you implemented for these regulated data, and what technologies or solutions do you use to ensure their durability and compliance?

Are short term bans of the use of GenAI applications and tools (such as ChatGPT) a good idea for end users in most organizations? For context see this article on the State of Maine Government's directive before you vote: https://www.govtech.com/artificial-intelligence/chatgpt-generative-ai-gets-6-month-ban-in-maine-government

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.30%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.41%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.22%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).6%

View Results

What is your main challenge when implementing a SASE solution?

Cultural (siloed teams with differing needs)41%

Architectural (legacy technology needs)52%

Vendor (no single vendor provides full solution)6%

View Results

What cyber security metrics are CISOs of listed companies reporting to the audit committee of the supervisory board?

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

Sort by:

Content you might like

What is your main challenge when implementing a SASE solution?

What cyber security metrics are CISOs of listed companies reporting to the audit committee of the supervisory board?

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go