The 4×4 safety program and organizational structure
The basic structure of the safety program
A successful security organization is not just names on boxes or a set of software. It’s the relationships between those boxes, the caliber of talent filling the boxes, the processes that integrate technology, and the core activities that aren’t just about keeping the lights on.
When I am asked: “How should I structure my security organization? I will probably draw the model below. There are four simple rectangles for the four main security domains, with connections and associations with other IT communities.
Each of the areas has its own goals, partners and processes:
- A Security Policy Management Program liaises with Legal, Internal Audit, HR, and the Project Management Office (PMO) to set strategic direction, policies, standards and processes for security.
- The Network, Intrusion and Event Security program meets the needs of IT operations and internal audit teams by ensuring borders are sealed and security events are promptly reported and managed.
- An Identity and Access Management program meets the needs of enterprise architecture, internal audit, business owners and HR by ensuring that users are properly managed and that access is enforced. appropriate way for each resource in the business.
- The Security Operations Program works with IT Operations to implement changes, ensure service availability, and execute security solutions.
Roles of the main security program
Each of these programs has a program manager and one or more program engineers. Each role can have brilliant and profound impacts, but the two are rarely the same person.
- A program manager often sees, acts and sets the vision. He or she has political capital and can easily navigate the organization, communicate with leaders, build trust and, most importantly, lead from the front.
- A program engineer is guided by this vision towards creative solutions – technical, process, social, etc. Engineers are efficient, technically intelligent, collaborative and results-oriented, but they don’t let the details get in the way. They can touch the keyboard, but mostly to prove their ideas.
There are other roles that are critical to the success of any program, but these are more generalist and can be staffed as shared services, as we’ll see in a moment.
I’ve worked with dozens of Fortune 1000 clients. I’ve seen a number of failed solution deployments, major program delays, and huge capital expenditures with minimal value delivered. In almost all cases, a contributing factor to these failures is the lack of involvement and leadership on the part of the program manager. Blame is often widespread, but strong leaders can overcome obstacles that others use to blame. Security program managers fail when they refrain from the details, try to be overly executive, and fail to give direction based on an understanding of the situation.
Are there other ways to distribute the responsibility successfully? Yes. Is the 4 × 4 Safety Organization Model the Perfect Structure for Every Business? No. Does it work for events caused by a crisis? May be.
There is no single solution and a hierarchical structure has proved ineffective by management experts since the 1950s. Moreover, it is clear from our experience that it is not always possible to have business analysts or dedicated project managers within the security organization or each security program. So by mixing the hierarchy, matrix, and shared service models, a lot can be done with a small team.
This is where members of the Shared Services team create a matrix structure and bring essential organizational diversity to security programs. Each of the roles is an important link with other parts of the organization.
Roles connect to many other aspects of the business and its partners:
- Business analysts are the main liaison with the lines of business.
- Project managers use PMO and SDLC standards to lead successful projects within the program roadmap.
- Security operations implement solutions and are key players in many security processes.
- Security providers provide external input and subject matter expertise that is not available within the organization.
The big picture
Now that we have defined the essential programs and roles, we have a collective vision of the holistic organization of 4 × 4 safety, with four main programs and four mechanisms for interacting with the business.
In the following articles, we will discuss the essential safety program activities, management tools and success factors.