I've been thinking and talking about "Security Transformation" more recently and was given EMC's Security for Business Innovation Council's report on "Transforming Information Security". It's an interesting read and really focuses on the organizational and skills aspects of the security team itself. I'm not sure I completely agree with all of it but it makes sense in a few organizations. As with all organizational design there are a few key things that influence that design greatly.
- Company Culture - First and most importantly the overall company culture will dramatically drive the distributed vs. centralized approach and the focus of the services. This cascades down to the security team structure
- Company Size - There is a huge difference between a company of the size of 1k and 100k. As a result, the ability to focus and implement varies greatly. A matrixed approach makes much more sense in smaller organizations
- Company Profitability - Anyone who's been part of a company, large or small, that is not or dangerous in the profitability curve can tell you it changes your focus. The focus only on core capabilities only is more likely when the business is more risk tolerant due to profitability.
- Company Organizational design - A company that is highly separate for functional reasons is more likely to have autonomous security as well. This could also be for other reasons such as investments, regional partnerships, etc.
- Company Locals (i.e. multinationals) - With the distribution of offices comes regional autonomy that drives a locally governed security organization. There could be a company "governance" role but that is not a hard management layer.
With all of these different models of business management comes the higher potential of different security management.