Identify security functions that can be devolved elsewhere
Assess your current security team's effectiveness with a view to identifying functions or capabilities (such as user awareness communication) that can be devolved elsewhere in the business or IT department. Determine which functions are working well, and therefore should not be disrupted, and which are performing suboptimally or perhaps not at all.
Next identify the root causes of security problems. Are current staff overloaded? Are there political or cultural barriers between business units? Are there scaling issues? Functions that are problematic for such reasons may be candidates for devolution.
If there is no dedicated security organization, which means that both IT and non-IT staff currently perform all security functions, the main problems are likely to be due to a lack of coordination. Such a situation indicates potential for establishing a lean governance function.
Find a new home for poorly performing security functions
Based on your assessments, identify alternative locations in the business or IT department for security functions that are underresourced or performing suboptimally. Alternatives should possess the capacity, resources, political clout and business incentives to support the relocated functions. Another possibility is to outsource them to a managed service provider.
“ Moving security decisions closer to the business units affected can also help drive more informed decision-making”
Many traditional security practices for endpoints and networks could find a new home with professionals in the IT infrastructure and operations team. Application security functions could relocate to application development and DevOps teams. "This approach can potentially result in the design of a 'lean' security organization where a dedicated security leader manages centralized coordination of key governance and operational activities," says Scholtz.
Pros and cons of the lean approach
A lean approach to digital security can alleviate the skills shortage in the cybersecurity field. It can also help build a broad understanding of security matters throughout an organization. This is entirely appropriate, given that all employees should understand and be able to manage the security implications of their jobs. Moving security decisions closer to the business units affected can also help drive more informed decision-making, based on a better understanding of the underlying processes and business impacts.
A key disadvantage, however, could be that fragmenting the security role and security responsibilities across different reporting lines may disrupt coordination, especially in geographically dispersed organizations. But Scholtz adds that "clear direction, strong governance and effective program management should be enough to keep this risk under control and help realize the benefits of a lean security organization."