Should This Involve the Whole Organization?

Abstract

Throughout the past decade we have seen a variety of management experiments with new cybersecurity organizational structures. Many of these were formed hastily in response to management recognizing they were vulnerable to threats, and then grew to fulfill their mission of threat preparedness independently of both business and technology development. Even when cybersecurity departments are part of a technology group, they are often placed under an infrastructure manager and often have not been well-integrated with software specifications or deployments. Instead they focused on assessment and remediation of production environments. Overall, growth in cybersecurity organizations has been somewhat consistent, with Chief Information Security Officers (CISOs) designing enterprise-wide cybersecurity risk programs, piloting security technologies within the technology organization, and then seeking integration touch-points with other organizations as threats became more obvious and ubiquitous. Consequently, many cybersecurity officers have limited visibility into business requirements for technology and as a result may be assumed by their peers to have low levels of business insight and corresponding contribution to mission.1 The recent drive to build enterprise capabilities for managing cybersecurity risk represents a change to a more aligned approach wherein cybersecurity is viewed not only as a key consideration in enterprise risk management (ERM) but a key attribute of enterprise architecture.