D. Dingle, a TechRepublic member from New Zealand, wanted to know how to set up a staffing strategy to handle security in a large organization. Should security issues be handled by a designated team in the IT division? Or should individuals on the IT staff be assigned security tasks?

He posed his questions to other TechRepublic members in the Managing Your People section of TechRepublic’s Technical Q&A forum.

Members responded that, if possible, creating a security team is the better option because it centralizes the security needs of an organization. Other members warned that that strategy could present some problems.

Central power
TechRepublic member Greg Maxfield suggested that creating one security team makes sense because it limits the control of security to a select few.

“IT security is largely about control: controlling who has access to what,” Maxfield said.

According to Maxfield, a centralized team can be effective because a team is:

  • Responsible for defining security policies for the whole organization.
  • Tasked with creating one set of security procedures and one security structure.
  • Able to provide a single point of contact for all security requests and issues.
  • Able to delegate security tasks in an organized fashion.

Maxfield did warn that a centralized group runs the risk of causing a bureaucratic mess when it comes to the needs of individual departments.

“The common complaint about the centralized group is that they will slow things down. Maybe they will. But, if security is important, it’s worth having someone watch it carefully,” Maxfield said.

Member Tim Parkins, a programmer for a large organization that has a security team in place, agreed that a centralized team is the best bet. Parkins said he felt more secure knowing that his organization leaves security issues to one team.

“It takes a lot of specialized knowledge and work to properly secure everything. Most developers simply don’t have the time or the expertise to properly implement security, unless they do this full time,” Parkins said.

Pick your favorite way
TechRepublic member Dan Hackney suggested that Dingle determine the preferences of the organization to find his answer.

“Some companies don’t like having one group have too much control over the network, so they break up the security responsibilities…with one group for servers, another for perimeter defense, etc.,” Hackney said.

Assigning various security tasks to different groups disperses control, he added. This strategy, however, delays security initiatives because of the following:

  • Splitting tasks between groups can delay decision making.
  • System upgrades and additions may take longer.
  • Breaks in the network may be more difficult to find.
  • It may take longer to isolate damage caused by hackers.

He suggested Dingle answer the following questions before deciding if his organization should designate a security team:

  • Do you have a stable organization with low turnover?
  • Does the organization employ “relatively” trusted employees?
  • Can one department handle the network?
  • Does the organization have one explicit security policy that is enforced and supported by management?

What’s your take?

Can you think of other advice you would offer Dingle? Do you agree with the answers in this article? What else should Dingle consider? Join the discussion in our Technical Q&A. (Please note that though the discussion is marked answered, you can still post there.)