General discussion

Locked

Security teams

By dinzie ·
Security teams
I work for a major Global manufacturing and distribution company. Currently within the IT function we do not have a specific Security group. Security is devolved amongst the various IT technical groups .........

My question is what is the best scenario with large companies. Devolved security functions within the technical groups or a centralised security group at least governing the IS security within the company ????

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Security teams

by Tim Parkins In reply to Security teams

Hi,

I also work for a very large organization. We have an IT security group, and I think that this is the way to go in such a large organization. I am a programmer/analyst myself, yet I like having a group other than our development team responsible for security. It takes a lot of specialized knowledge and work to properly secure everything. Most developers simply don't have the time or expertise to properly implement security, unless they do this full-time.

My humble opinion....centralized IT security group.

Good Luck!
Tim

Collapse -

Security teams

by dinzie In reply to Security teams

Poster rated this answer

Collapse -

Security teams

by RealGem In reply to Security teams

IT security is largely about control: controlling who has access to what.

While you _can_ work this in a decentralized fashion, the centralized format makes more sense.

The central security group is responsible for defining security policy, procedures, and structure. They provide a single point of contact for all security requests.

Note that the central security group can always delegate some of the work, particularly if they don't have the skills, but they must only parcel out individual work items one at a time.

For larger organizations, it is extremely difficult for decentralized groups to manage access to the data of others. There will always be some data sharing, and it is a nightmare to try and figure out how to get access to the data - every department will have different rules and procedures.

The decentralized method is also very inefficient. Each department will have one or two (depending on coverage needs) people who act as administrators. All of them mustbe trained, which is more expensive. The centralized method will actually save $$ in the long run.

The common complaint about the centralized group is that they will "slow things down". Maybe they will. But, if security is important, it's worth having someone watch is carefully.

Collapse -

Security teams

by dinzie In reply to Security teams

Poster rated this answer

Collapse -

Security teams

by Some Guy in Seattle In reply to Security teams

This depends on the security policy of your company. Some companies don't like having one group have too much control over the network so they break up the security responsibilites into teams with one group for servers, another for perimeter defense(routers, firewalls), etc. The problem with this is that events that span more than one group may be slowed down by the bureaucratic process. Could be an issue if something breaks or is hacked, plus when upgrades or additions are performed it takes longer to work out who does what, when. This solution may not be avoidable if the network is very large due to the amount of time it takes to maintain it.

If you have a stable department, with low turnover, "relatively" trusted employees, a network that can be handled by one department, and an explicit security policy that is known to be enforced and supported by management there is no reason to not have one department handling network security. If there are problems with any of these factorsit may be wise to split up the responsibilities.

Network security is something that must be taken seriously and, while there is no "correct" approach, the corporation needs to make sure that it is being taken care of in a logical, concise manner.

Hope that helps,

Collapse -

Security teams

by dinzie In reply to Security teams

Poster rated this answer

Collapse -

Security teams

by pjpatiky In reply to Security teams

dinzie - In a large company where compartmentation is an advantage, where one group/section should not know the production of the other, then compatmentized security sections is by far the best function. Neither devolved or centralized.

If the company is just one big group or family then one overall security section is the best function.

When you "devolve", move policy making and enforcement from person to person, the policies too often change with who ever is in charge of security. This allows leaks in security procedure and rapid changes in security policies and keeps the working stations in a state of flux, unchanneled, unsure.

Collapse -

Security teams

by dinzie In reply to Security teams

Poster rated this answer

Collapse -

Security teams

by dinzie In reply to Security teams

This question was closed by the author

Collapse -

Security teams

by dinzie In reply to Security teams

What I've learned .....

centralising provides co-ordination across the groups. It also provides $$ saving on reduced duplication and frees up the technical staff to do what the were hired for ...

IT security is a joint responsibility of both IT managemnt and Business

There should be a single point of reference for security and security issues. A security council is a good way to integrate the IT and business directions - But there should still be an 'Owner' of Security.

From Gartner/datapro - "when an organisation has a dedicated person department for security, there is a higher rate of implementation of security policies than in organsations withought the dedicated function."

There has to be a strong commitment from management to back policy and procedures

There has to be a well defined security awareness programme. Just how aware are your employees as to What violates the security rules... who to report to if they saw a security violation .............

Back to IT Employment Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums