Reorganising the security function in large organisations

Security organisations were very different 20 years ago: the “typical” team was made up of around fifteen people in the ISD operations, all of them passionate about technology. Attacks were rare, pressure from regulators was limited, top management had no control over anything, with CISOs under very limited pressure. Admittedly, the first conversations on the positioning of the CISO in the organisation were beginning to emerge (balance of power with the CIO, closer ties with the Risk Department, etc.), but these expert discussions were still very confidential.

20 years later, the situation has completely changed, and security has taken on a whole new dimension in companies. The figures speak for themselves: across organisations, we generally see a ratio of 1 security FTE for 500-3,000 overall employees. Some financial players even reach record ratios of 1 for 200 by integrating the different lines of defence. Some financial players even reach record ratios of 1 per 200 by integrating the different lines of defence. ISSM are therefore now in charge of a plethoric and highly diversified workforce. The historical experts have been joined, in recent years, by Project Managers, PMO, COO, Program Managers, and sometimes even by specialised buyers and HR, who are gradually learning to work together. Like a sports coach, the CISO must now deal with a varied workforce, find the right organisation and the right game system to get results.

The reasons for reorganising are broadly the same: lack of control, a feeling of inefficiency, diffusion of responsibilities and the seemingly colossal amount of work needed to reorganise. This leads some CISOs to consider disruptive solutions very quickly, in particular the idea of grouping all security resources into a single, hierarchical team; however, in 95% of cases, this solution is not chosen. Such a move presents too many risks of isolating the security function, which is difficult to reconcile with the need for business proximity for certain activities: support for business projects, raising awareness among specific populations, budget negotiations, etc. The dispersed security function is the norm: a central team with relays (local CISO, security correspondents, etc.) spread throughout the organisation. However, some industrial players have recently moved towards centralisation, motivated by a desire to bring together cybersecurity resources with the security team, which is particularly mature in this sector.

The attachment of the CISO also remains an element of debate, which has been widely relayed and commented on for years. Multiple CxOs are introduced into companies and it sometimes seems as if it’s a race to see who will be the highest in the hierarchy. But, contrary to popular belief, there is not necessarily a trend in the field towards the exit of the IT department. Quite the contrary: 3 out of 4 CISOs report to the CIO in large companies and most reorganisations lead to such an affiliation. The reason is simple: it is often an excellent place to be in action, to make progress on issues and to obtain a budget. It is important to note that 80% of a cybersecurity budget falls within the scope of the IT department. It is therefore essential to nurture a quality relationship between the CISO and the CIO.

It is common to be solicited multiple times for the same study by different entities of an organisation. This is understandable: in a pipeline model, each entity/country has a security team, and, without clearly established rules,  local management often decides to reinforce its team at the slightest need (specific study, audit results, etc.). This model, despite its advantages, may also create complexity and redundancy.

The trend towards the pooling of expertise and the creation of central cybersecurity service offerings will help avoid such situations. In very concrete terms, this means that many organisations are pooling:

With the addition of a governance and strategy entity, this organisational setting resembles the chart of many Group CISOs. Some organisations opt for a distributed model, consisting of distributing services across entities, and very large companies often opt for the creation of intermediate Hubs (by region, by business line, etc.) delivering these services. Regardless of the organisation chosen, this consolidation movement is underway; it is estimated that around 40% of the function’s employees work on activities with a cross-functional scope with an exponential increase in recent years.

This move towards centralisation frees up local teams (CISO or business/country/entity correspondents) who can thus consume services and refocus on activities requiring close proximity to their businesses: risk assessment, integration of security in projects, security revenues, etc. In the security functions, this is where we still find the bulk of the workforce, however, this situation remains temporary. The widespread use of agile technology has a direct impact on the teams who find themselves changing jobs from one day to the next because they are projected into the Feature Teams to train, coach and equip “Security Champions” who are gradually gaining in autonomy. As a result, local CISOs are also industrialising and organising their teams into service centres for these Feature Teams (development standards, code review, analysis methods). It is likely that centralised security teams are likely to resurface, led by the acceleration in agile transformation processes.

The strong growth of some security channels requires the establishment of clear organisational structures, but it also represents an opportunity for employees. Project management, team management, expertise, communication: very few functions offer such diversity, which is ideal for attracting and retaining talent.