This article will answer the following questions:
- What are the most common models of security leadership?
- Which model is the best match for my company?
- What are the benefits of using a centralised model?
- What is the main advantage of a decentralized model?
- From what angles should a cybersecurity manager approach cybersecurity management?
- How does a cybersecurity manager get the authority to execute the security policy?
- Why do I need to get my cybersecurity policy approved by the company board?
- What should I include in my top-level security policy?
- Who owns what cybersecurity problem?
- Who do I involve in policy creation?
- Should an employee be punished for violating the security policy?
The Cyber Security Manager Part III: Security Leadership
Cybersecurity managers must understand how company leadership is organised around security. They have to understand how the company leadership structure works and recognise that security is everyone’s concern—not a separate function relegated to a select few. Of course, in larger companies, it’s natural to hire specialists to work in various security functions. But in many companies, the cybersecurity manager can be a standalone role or even a part-time employee.
Security Leadership Models
Security leadership is, first, about who is making the calls. In principle, that means there has to be a structure in place for decision-making around security issues. In reality, what often happens is that a cybersecurity manager starts with a company, and everybody rushes in with the problems that nobody else was able to solve. The underlying thought seems to be that if it’s nobody else’s problem, it’s probably security’s problem.
There are two ways to handle security leadership more effectively. The first model of security leadership is centralised management. The centralised model is when you have one person or committee with oversight and approval of all security responsibilities in the company. It’s a one-stop shop.
The second is the decentralised model. This is where a number of different people in various departments within the company each make their own decisions about security based on the needs of their particular area.
Larger corporations might use a mix of both models. A company with many subsidiaries, for instance might find it impossible to run security in all of them from a single centralised security team. People working in the subsidiaries probably take instruction from headquarters hundreds of miles away with a grain of salt. They might complain that the home office staff doesn’t set foot in their facility or do the hard work, that they just issue the rules. Frankly, quite often, the staff in subsidiaries don’t even know who owns their shares, let alone who is their counterpart in corporate security matters! In those cases, it might be better to use a hybrid model—employ an on-site security champion or an agent who learns and understands the local operation but who is also cooperating with the centralised function.
We worked with a company that had about 40,000 employees in around seventy standalone subsidiaries and three independent business divisions. They set up a centralised security function for managing all of the security in the entire organisation. They had around five people in the centralised function and then a large number of roles doing different, separate security tasks around the different locations. There were working groups for different security issues; for example, health and safety alone had more than seventy people working together. Similarly, security in IT employed more than a handful of full-time professionals. Of course, they also held a lot of conference calls and virtual meetings where people could discuss things and follow up with programmes and policies.
In a centralised model, the advantage is that you have all the decision-making power in one place. They can easily get policies drafted and accepted with the headquarter executives. It’s fast to make decisions, and you don’t suffer from the confusion that can set in when ten different people are doing things their own way in separate parts of the organisation. From the company level, the centralised model looks more organised, and that’s a cybersecurity manager’s dream—to have all things well organised.
The disadvantage of the centralised model is that those sitting outside of that central function, far away in a branch or in a subsidiary in a different country, don’t have much contact with the central security function. They’re left pretty much by themselves with little support. The policies, procedures, and guidelines that come from the ivory tower might be good for their part of business or totally unsuitable, but once policies are issued exceptions, it will cause trouble. This can create friction. Plus, dealing with security is time consuming. The time the home office spends doing centralised security functions takes away time and focus from what they should be doing—running and growing the business.
The advantage of a decentralised model is that the authority and discretionary decision-making power given to different branches of the organisation allows them to create the best processes for their unique situation and circumstances. There is no omnipotent ivory tower issuing policies that don’t make sense for their branch. Perhaps, the headquarters just issues a high-level policy that the rest of the cybersecurity has to be managed so and so. Call it a meta-level policy that sets a requirement for subsidiaries to build their own security management systems. The disadvantage is, of course, that policies can end up being wildly inconsistent, and security standards may vary from one location to the next.
One detail we like in the decentralised model is that it allows things to get done, and it is very adaptable. The branches know what they need, so they do it. In contrast, people in the ivory tower seldom get their hands dirty. When they do try to go hands-on, it’s often a disaster. Because they don’t know exactly what the branches do, the people from HQ may end up creating misguided or inefficient policies.
Whichever option you decide to go with, centralised or decentralised, try to consider how to take the best of both approaches. The old wisdom in Zen is that best way to keep a herd of sheep in control is to let them loose on the pasture but keep a vigilant eye on them. You will need to give a certain amount of localised freedoms, but you also need to be the person who makes the final call in all things that affect the whole enterprise.
Security Leadership Dimensions
The cybersecurity manager should look at security leadership from several angles—leadership is about many things, not just about managing security matters.