This article will answer the following questions:
- Is it useful to study my company’s organisational chart?
- What is the difference between a line and a matrix organization?
- How do virtual teams fit into the company’s organizational chart?
- How do I identify the company’s main influencers if they are not on the organizational chart?
- What security policy issues do multi location companies experience?
- How do I align with compliance-driven stakeholders?
- What is the best way to align with risk-driven stakeholders?
- What are the main interests of business-driven stakeholders?
- Which stakeholders interests should I follow first?
The Cyber Security Manager part II: Know the Structure and Key Stakeholders
A good cybersecurity manager must understand both the organisational structure and the power structure of the organisation they work in. This is essential. If the cybersecurity manager doesn’t know who makes the final decisions, who controls the money, and who the key influencers are, it will be difficult to be effective in the cybersecurity manager role.
Study the Org Chart
Studying the organisational chart of the company is the quickest way to get the lay of the land, figure out who’s in charge, and discover who reports to whom.
Looking at the org chart, the cybersecurity manager can see if the company is structured in a line or a matrix. In a line organisation, depicted by the typical upside-down tree chart, the hierarchy is clear. Key executives are listed at the top of the chart and department heads below them, then the managers, and so on. In this scheme, each owner has a budget, and you can go straight to the owner with requests. In a line organisation, the cybersecurity manager should talk with each owner about how security is relevant to them and their department.
In a matrix organisation, however, the landscape is a bit different. Here, employees are divided into teams by projects, which gives workers multiple reporting relationships, for example to a functional manager and a project manager. In this scheme, a quality manager or product owner might work with people on every line, making for some complex relationships. What the cybersecurity manager needs to understand is that this manager or owner is not the boss with the budget. In a matrix, the cybersecurity manager must negotiate with people in all of the business lines.
In either type of organisation, the cybersecurity manager’s goal is to find out about any security concerns and learn who is responsible for those areas. It’s not always clear. Many supervisors, though they are responsible for monitoring safety and security, don’t even know where to find cybersecurity procedures. They may not know what to check when they hire people, or they might forget to collect computers when someone is fired. Some don’t feel security is their business—production managers figure they handle production plans, not security—until the day there is a problem and they realise it is their responsibility.
For example, we worked with a government organisation in Finland where an older lady, who had served as the cybersecurity manager, was preparing to retire. As she prepared to hand over the reins, it became clear she didn’t have a clue about the organisational structure or even where to report security issues.
After a day or two working with this lady, studying the organisation, and having discussions with her and her colleagues, it was actually quite clear who was making decisions in the company and what kind of management structure was needed for security. This woman could have studied the org chart and discovered who she needed to talk to. She had just never bothered to do it.
Finding out about the decision-making process in an organisation is crucial. Without a solid grasp of organisational structure and decision-making, the cybersecurity manager will struggle to get anything accomplished. The organisational chart is a helpful starting point, but it’s equally important to study process flow charts and understand how things are produced and communicated.
With that in mind, cybersecurity managers also need to be aware that all the information about who has power and influence in any organisation is not necessarily on the official org chart. Often, in bigger companies especially, virtual teams have authority to decide on certain matters, especially regarding security. Those teams aren’t usually visible in the chart. Many influencers may not appear on the chart at all, so cybersecurity managers have to talk to the people in charge, ask them how decisions are made, and find out who makes the final decision.