In a series of articles, I will describe the responsibilities of a security department. I had the idea of building a technology company from scratch, initially focusing on security. I determined that I didn’t want to talk about building a small company from scratch. Instead, I wanted to discuss all the things that are going on in mid to large organizations that can be modeled after with any size company.
One of the worst things you can have is a small company that doesn’t know how to transform into a medium or large company. Often the business side will grow, but sometimes the technical departments do not grow at the same speed. I’m not referring to size (although that is common also) but instead talking about maturity.
An organization practicing good security will have someone in charge of leading in this area. The larger the company, the larger the security department will be. However, one of the worst things you can do is start a company, no matter how small, without someone solely focused on ensuring its employees are securely performing all daily tasks.
The main goal of a security department in an organization is to align security best practices with all aspects of the business. Typically security departments do not directly implement security controls, but influence employees to perform every task with a security mindset. Both technical and non-technical departments are included in a secure environment implementation. Each department will have a supplied framework that aligns with job functions.
A major function of a security department is to help the organization take managed risks. Few gains are obtained in business without taking some risk. The security department will implement a risk management program used by the business to make decisions based on calculated measurements.
A great security program is not static, but always changing to meet the business needs. A business that grows while change is happening all around it reflects a solid dynamic security program. However, consider the opposite: If a security department is made up of static practices that never change, then the business will fail to grow successfully without some type of trouble.
It is common to think the people in a security department are highly technical, hacker-like individuals. While many will have sound technical skills and perform senior-level functions, much of the demonstrated skillset will be soft in nature. These skills are communication, management, risk determination, and teaching abilities.
People in a security department will work with all types of people in the business. Some will work directly with an I.T. department on proper secure implementations and operational practices. Other security employees will work with business units to ensure existing policies are being followed. Security teams also work with legal departments on various matters. Of course, business leaders also are interfaced with when determining acceptable risk for a particular matter.