Co-founder and CEO, Ofofo.io
Cybersecurity Organization Structure and Management Perspective
Optimizing the structure of the security organization and setting up well-defined roles and responsibilities can go a long way in helping businesses achieve a mature security posture.
Mohan Gandhi Ponnaganti
Do not index
Do not index
Summary: A crucial part of business cybersecurity is the security organization and management’s involvement. Optimizing the structure of the security organization and setting up well-defined roles and responsibilities can go a long way in helping businesses achieve a mature security posture. In the absence of a strong cybersecurity organization, SMBs seek the help of various security solutions. A marketplace can go a long way to help SMBs accomplish an optimal posture by offering various security solutions with simplicity along with utmost trust and confidence.
As the security ecosystem has evolved and become more threat intensive, businesses are increasingly more focused on building a mature cybersecurity posture. By establishing an optimized security organization and functions, businesses can take a better stance against today’s cyber threats.
For large businesses, a CISO heads the cybersecurity organization which has several key departments such as Security Engineer and Asset Security, Security Operations Center, Emergency Operations and Incidence Command and Program Management. These departments carry out functions which are broadly categorized as:
The figure below details the CISO cybersecurity organization structure:
SMBs however do not have the same detailed and illustrated structure as shown above. Given the shortage of budget and security talent coupled with different security needs, it’s an absolute necessity for these businesses to optimize their security organization and functions.
While developing the right organisational structure, businesses tend to come across some challenges that tend to hinder their progress. Some of these concerns are discussed below:
Reporting Structure: To improve the security posture, the business’ reporting structure might need some alterations. Currently, 45 per cent of CISOs are reporting to the CIO and only 17 per cent report to the CEO of the business. Interestingly, many (37%) security experts and leaders believe that the CISO should report to the CEO and nearly half of the CIOs themselves say that a CISO should directly report to the CEO.
Talent Acquisition: The cybersecurity domain faces a serious shortage of talent, in fact, a study reports that it found 85 per cent of SMBs have only one or no full-time employees for cybersecurity. This is further amplified by the perception of security teams. It was found that almost 54 per cent of businesses believe their security teams are understaffed. In terms of recruiting, 45 per cent of businesses found it very challenging to find the right security talent and another 34 per cent of businesses found it extremely challenging.
Large businesses tend to have buy-ins from the board of directors, executive management and several other departments. The below figure illustrates key roles and respective involvements across various security activities.
For SMBs however, the security roles and responsibilities are quite different. Although there might be a CISO or cybersecurity director/manager heading the security organization, SMBs have relatively smaller teams with individual members performing various security tasks. Few roles within the SMBs include risk assessment & management, identity & access management, etc.
To overcome the concerns for security organization structure and talent, SMBs globally are becoming more inclined towards security products/services. Currently, they are spending upwards of $57 Bn on security solutions, and it is expected to grow to $90 Bn by 2025. Some of the key products that are adopted by SMBs include network security, security hardware, mobile security, end-point security solutions, etc.
Managed security services (MSSs), the share of the current SMB spending on cybersecurity is 35 per cent and is expected to grow steeply at a CAGR of 17 per cent between 2020 and 2025. Additionally, these MSSs are bridging the SMBs' security products and skill gaps. In fact, 81 per cent of SMBs having partnered with MSSs have reduced cyber risks and 72 per cent of these SMBs have reduced the complexity of cybersecurity.
By understanding specific business security requirements, cybersecurity marketplaces offer a variety of products/solutions along with transparency and a standardized buying process. By carefully vetting solutions and conducting due diligence on vendors Ofofo offers a platform of trust and clarity. Moreover, features such as the comparison of products/services along with pricing and business-specific recommendations are also available on the marketplace platform.
To enhance cybersecurity posture, businesses need to establish the right organisational structure and functions. Further, it is critical to have well-defined security roles and responsibilities for security personnel to maximize the business’ stance against cyber threats. SMBs often find it tricky to build an elaborate security organization and have one cybersecurity person carrying out numerous security activities. As a result of which, they are becoming more inclined towards products/solutions to aid with their defence. A cybersecurity marketplace can present several such solutions with complete trust and confidence.