Historically, security organizations have grown up organically, starting 15 – 20 years ago with a single security conscious person who ended up getting tagged with doing the job. Over the years, that manager asked for new positions, filling a tactical need when issues were presented, creating departments/teams as it made sense. There was no particular plan in place or a long-term strategy. Eventually, you end up with more than a handful of employees and a dysfunctional team. Don’t get me wrong, the team is usually very good at putting out fires and “getting the work done” but, by no means is it robust or optimized. They typically do not work on the issues that are most important to the company rather these large security groups are playing whack-a-mole with issues and deal with fires as they are presented. There is no opportunity to get ahead of the game and when the fire is in your area you deal with it the best way you can. Of course, this can cause inter-personal issues amongst the team members and duplication of efforts, driving even more dysfunction.
As a consultant, it’s easy to say that lack of planning created these problems, but I don’t know many info sec managers who could claim they have a growth plan that goes out 15 years and involves hiring 30-50 new employees. Most security professionals, for the majority of their careers, are fighting fires
What lessons has Neohapsis learned working with our clients to reorganize their security departments?
Don’t under estimate the angst that will be voiced by the team leaders/managers within the department if they are not included in the decision making process, even if you already know the right decision.
When it comes down to it, there are only so many ways you can design a security organization. Certain jobs and tasks make sense together. Certain others require similar skill sets. Technically, you don’t really need to involve many people in the decision if you have someone who knows the culture of the company and has done this before. You could very easily take a CISO and a consultant and develop a new organizational structure and announce it to the CISO’s management team. You try that, and you’ll be surprised at the uproar about not understanding the nuances of each department and the needs and issues of the individuals. Though it will take longer, a CISO will find better acceptance with his own management team if they are allowed to go off and work together to propose an org design of their own. It will probably take 30 days and in the end, it will probably look almost identical to what the CISO and consultant would have wanted anyway. But, the managers’ attitudes will be different and they will have buy-in. It still doesn’t hurt to get a consultants opinion on the org design, just don’t let your management team think you outsourced their career path. Even though you could have started your organization change 30 days ago, sometimes it is more about buy-in than being right. That’s a very hard lesson for many security professionals.
Titles are a big deal to security people
Probably the most contentious and politically painful experience, and frankly the biggest complaints from the security team leads and managers, will be coming up with proper titles for the new departments. As is generally the case in large organizations, there are way too many Directors, VPs, Senior VPs than can honestly be justified by organizational design. You look over the fence and wonder how everyone in the sales department can be a Senior VP.
What makes this particularly difficult within a security organization is that security professionals by nature view themselves as different or special than everyone else in the organization. Inevitably, that means corporate HR policy is perceived to be inapplicable to them. The presumption of non-applicability is exactly what security complains about when co-workers ignore security policy. So when company policy dictates a Director title requires X number of direct reports, what do you do with your architecture group that has 5 people with 20 years security experience and no direct reports? If you don’t title that team as Director’s or better, nobody from the outside will apply for the positions. But if you do, others in the organization will ask why there is a department of 5 people all with Director titles.
In the same vein, titles are routinely viewed by security professionals as a way of bullying co-workers into complying with a particular security policy or decision. Any perceived lost opportunity to get a title promotion is met with severe angst, no check that…open revolt…even when no salary increase comes with it.
In the end most titles will end up being a mix of corporate policy and what levels in the organization that particular person would have to interact with (eg: need for presumed power). Yes, many feelings will be hurt.
Salaries are all over the map
In similar alignment with titles, salaries are a difficult thing to pin down in the security industry. Sure you can go to any of a number of surveys and pull an average salary…but often they are for a generic title like “security architect” or “security analyst” or something very specific like “IDS specialist”. Is your security analyst the same as my security analyst? I can’t tell. Should a firewall guru get paid the same as a policy guru? Why? Why not? Eventually you will have to look at existing salaries within the team (obviously), a third party perspective of the market conditions, and the caliber of talent you want applying. At some level it becomes a throw a number out there and see if you a get nibble approach.
Sounds like too much work…
Are the basic issues outlined above insurmountable? Of course not. But they seem to be so minor that many security managers will ignore them and focus on the so called “big picture”. Little do they know, the big picture was never really in doubt. It was the little things that were going to give them the biggest head aches and threaten to derail the path to the big picture.
Has this happened in you organization? Did you have a re-org experience to tell? We would love comments.