Security Governance, Management and Operations Are Not The Same
Security Governance, Management and Operations Are Not The Same
Security Governance, Management and Operations Are Not The Same
FOUNDATIONAL DOCUMENT
This research is reviewed periodically for accuracy. Last reviewed on 14 June 2018.
Key Challenges
■ Security governance, management and operations have very different functions. In the absence
of a formally documented model, the demarcation is not always obvious. However, clarity is
fundamental to the performance of each.
■ Part of the role of a security governance forum is to ensure that business and security
processes have sufficient internal segregation of duties (SOD) to avoid a conflict of interest.
■ In the absence of a business context, security management and operations teams may well be
doing what they believe to be the "right" things, but what could, in fact, be wasting effort and
delivering against the wrong requirements.
Recommendations
■ Focus on business outcomes by establishing a security governance forum that does not
become mired in operational issues, but gives direction and oversight.
■ Develop clear, documented descriptions of the function of the security governance,
management and operations layers.
■ Ensure that the security governance forum itself has sufficient separation from security
management and security operations so that a conflict of interest is avoided.
Table of Contents
Introduction............................................................................................................................................ 2
Analysis.................................................................................................................................................. 2
Focus on Business Outcomes by Establishing a Security Governance Forum That Does Not
Become Mired in Operational Issues, but Gives Direction and Oversight...........................................2
Develop Clear, Documented Descriptions of the Function of the Security Governance, Management
and Operations Layers..................................................................................................................... 3
The Role of Information Security Governance............................................................................. 4
The Role of IT Security Management.......................................................................................... 6
The Role of IT Security Operations..............................................................................................6
Ensure That the Security Governance Forum Itself Has Sufficient Separation From Security
Management and Security Operations to Avoid a Conflict of Interest................................................ 8
Recommended Reading.........................................................................................................................8
List of Figures
Introduction
"Security governance," "security management" and "security operations" are broad terms
describing interrelated functions, and Gartner provides a wide range of research to bring these
topics into focus. Members of governance committees must understand the salient differences
between them in order to avoid dysfunction and meet business and IT goals.
The purpose of this analysis is to provide clear guidance on the distinction between these three
layers. It is not intended to give a comprehensive description of all aspects of each layer.
Analysis
Focus on Business Outcomes by Establishing a Security Governance Forum That
Does Not Become Mired in Operational Issues, but Gives Direction and Oversight
There is no single universal model for organizational structure to ensure that the information and IT
security ("security") requirements of any given organization are adequately met.
Each of these layers must engage with corresponding layers throughout the enterprise.
Security management and security operations staff must have an awareness of the goals of the
business, but be expert in the delivery of the security processes that support those goals. This is
true whether security functions, including operational functions, are insourced, outsourced or a
blend of both.
Conversely, business representatives must be able to clearly articulate what they need from IT
security management and security operations, without having to have detailed knowledge of the
technology and the processes. The responsibility for articulating these requirements and ensuring
that they are met lie squarely at the feet of the business, regardless of operational arrangements.
For each to understand the other, a security governance forum must exist within which the
conversations to ensure performance, manage risk and resolve issues can occur. To avoid a
dysfunctional forum, it is necessary to have a clear understanding of the distinctions among security
governance, security management and security operations, and how they should interact.
It is important that the charter for the security governance forum is clear, whether the domain it will
govern is just IT security, which can be considered to be the platforms and operational processes of
the organization, or information security, which may be considered to be all information in
electronic, physical (paper) or ephemeral (such as voice) form.
Gartner recommends adopting the broader information security forum approach (see "Information
Security and Risk Governance: Forums and Committees"). This research will be based on this
approach, with the focus area being the IT security component at the management and operations
layers.
Security Governance
(Example only)
Purpose: Ensure that high-level business requirements
are defined, adequate and met.
Chair and Sponsor:
Chief Risk Officer
Members:
Head of Research
Head of Manufacturing
Head of Distribution
Chief Information Officer
Head of Security
Chief Legal Officer
Head of HR
Chief Information Security Officer
Chief Information
Security Officer
Security Management
(Example only)
Purpose: Ensure that security functions are adequately
resourced and executed to meet business requirements.
Functional Leader:
Chief Information Security Officer
Members:
Manager, CSIRT
Manager, Policy and Compliance
Manager, Relationship and Vendor Management
Manager, Security Assurance
Manager, Security Consulting
Manager, Security Platform Operations
Manager, Security Reporting
Manager Manager
■ ISG processes are decision-making and oversight processes (they "ensure"), not "execution"
processes.
■ The overriding objective is the attainment of business goals, not IT goals.
The role of the chief information security officer (CISO) within ISG is to work closely with senior
executives, line-of-business managers, the IT organization, and others to establish an effective
governance framework and meaningful risk assessments; support the delegation of authority to the
security function via a charter; support effective enterprise risk management; and support the
establishment of measurable controls that map to all relevant regulations and standards.
Representatives on the ISG forum should include midlevel to senior-level management from lines of
business, audit, risk, IT and corporate security (such as fraud, protective security and crisis
management). In a large enterprise, a forum of around 10 people would be reasonable.
The ISG forum is a critical component in setting the overall direction of the security program
implemented by the CISO, taking into account the strategic needs of the business, the risk appetite
of the organization, other non-IT and information security issues (such as physical and personnel
security), and broader IT and information initiatives beyond the security realm.
■ Establishing and maintaining effective lines of accountability, responsibility and authority for
protecting information assets
■ Acting as a steering committee for the information security program, including making or
approving the final resource allocation decisions for the annual strategy plan.
■ Acting as a steering committee for projects that require significant business unit involvement
(for example, data loss prevention — some examples of how to do this are provided in the
Recommended Reading)
■ Tracking the progress of remediation on risk items (for example, audit report findings)
■ Reviewing metrics reporting, and requesting new metrics, if required
■ Monitoring operational performance
■ Providing a forum for the CISO to guide localized security efforts within individual business units
via ISG committee members
■ Acting as a mediation or arbitration forum for reconciling conflicting security requirements
between different organizational entities
Led by the CISO, or an equivalent role, the security management draws together a range of security
activities, including, but not limited to:
All these activities are likely to be conducted in conjunction with other teams. For example, a
security architecture role may exist as a direct report to the CISO, and work as part of a virtual team
in conjunction with a broader enterprise architecture community, or alternatively, an enterprise
architecture team may have a "dotted line" reporting relationship to the CISO. This effectively results
in a matrix approach to security in modern organizations.
The CISO, and indeed other layers within the security management team, must not only be an
expert in his or her field, but also have other skills, such as business, risk, communication and
negotiation skills. This is consistent with the evolving requirements of risk roles more generally (see
"Meeting the Information Needs of the Chief Risk Officer in 2023").
While some security decisions are likely to be reached through a directive approach, in many cases,
they may alternatively be reached through negotiation and consensus among several parties. This
approach is discussed in more detail in "Gartner for IT Leaders Overview: The Chief Information
Security Officer."
Examples of functions that the IT security operations team may perform include the list below (see
"The Security Processes You Must Get Right").
The activities are a subset of the responsibilities and activities met by the broader IT security
organization, as described in the previous section, The Role of IT Security Management.
One of the key areas on which the ISG forum may need to focus is the balance between roles
performed by security and IT operations. Some security functions may, over time, transition from IT
security to IT operations. A detailed discussion is provided in "Gartner for IT Leaders Overview: The
Chief Information Security Officer."
Some of these functions may be executed by the IT operations team under change control, with
security operations acting as a member of the change control board (thus, an approver).
Furthermore, security operations could act in a verification role by confirming implementation of the
patch or, alternatively, removal of the security risk it addresses through results from a vulnerability
scanner.
Ensure That the Security Governance Forum Itself Has Sufficient Separation From
Security Management and Security Operations to Avoid a Conflict of Interest
The integrity of the security program depends, in part, on the avoidance of conflicts of interest. This
is achieved through a separation of duties regime. Establishing such a regime is difficult to do well,
but it is critical for ensuring the integrity of a policy compliance regime and can be the subject of
detailed auditor scrutiny.
One technique for implementing SOD is through a matrixed organizational (dotted-line) reporting
model, as discussed earlier in this research. This ensures that sensitive roles are exposed to
multiple reporting lines.
The ISG forum is perfectly positioned to ensure that adequate SOD safeguards are in place. By
incorporating representatives from each layer of a three-layered assurance model into the ISG
committee membership, that forum can ensure that each layer is working cohesively, and resolve
issues as they arise (see Note 1).
Recommended Reading
Some documents may not be available as part of your current Gartner subscription.
"Entitlement Life Cycle Management: The Evolution of Role Life Cycle Management"
Evidence
This research is based on 39 client inquiries on the topics of security governance, organization and
operations conducted between 1 September and 30 November 2012.
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Gartner Usage Policy posted on gartner.com. The information contained in this publication
has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the
opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject
to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may
include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include
senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or
influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see
“Guiding Principles on Independence and Objectivity.”