Having talked about this in the past I thought I would write up my thoughts on the org structure of the security groups. We seem to have a lot of different types of group structures out there and not necessarily intentionally designed that way. Most of our org structures have developed as a result of history, moving from ops to governance, but I struggle to see anywhere that anyone has talked about the different models and pro's and cons. Thought I would put in my 2 cents.
Security Organizational Intent
The first thing we need to consider is the overall intent of the security group. I see this as a graduating scale where on the left side we have a totally advisory group and on the right we have a strict "command and control" group. My personal opinion is that neither works well in most organizations. No one likes a hard lined "my way or the highway" approach and who wants a group that gives advice and doesn't actually put their skin in the game? With both groups, come cost cutting time you are either a problem or no one sees a real need to keep you around. My desire is to be somewhere in the middle. There are functions that should be "command and control" such as Threat Response (Incident Response). A great chunk of functions should be risk based such as Controls Implementation (Policy and Standards), Risk Assessment (Audit) and others. Lastly, forward looking strategy with the business should always be advisory. This is not very well done in most organizations if at all. This is where security is involved in the development of the business strategy and giving guidance on threat / compliance landscape, risks associated with strategic direction and others.
Of course, all of this is highly dependent on corporate structure and culture. However, most organizations would be best served with a ranged approach to the security model implementation.
Centralized vs. Decentralized
One of the historical conversations has been over a decentralized vs. centralized function. I've always driven to a centralized function based on the simple fact that people will do what their paychecks tell them. As a result, I've never been too keen on "security" people reporting directly into the BU's and dotted line to InfoSec. This doesn't mean that we should remove their function from being dedicated to that function. There's an immense value in having security practitioners living with the BU's, learning how the function and what the true impacts of security direction has on them. This is akin to the value of having police returning to the walking beat as opposed to squad cars. The connection and relationship development is highly valued and is facilitated through this side by side working.
Having a core function focus on Security Management (Policy, Standards, Controls Implementation), Threat Response and Risk and Compliance is key. Having Security Management have team members embedded into the various BU's for Controls Implementation is a good path. The Controls Implementation is owning security control points within the key processes of those BU's.