Balancing IT Security Management Model Trade-Offs

IT security professionals' effectiveness in an organization is influenced not only by how usable their security management tools are but also by how well the organization's security management model (SMM) fits. Finding the right SMM is critical but can be challenging — trade-offs are inherent to each approach but their implications aren't always clear. The authors present a case study of one academic institution that created a centralized security team but disbanded it in favor of a more distributed approach three years later. They contrast these experiences with expectations from industry standards. T he critical challenge of protecting an organization's assets from Internet attacks is multidimen-sional. Success depends not only on the usability of security management tools but also on the overall effectiveness of processes for IT security management. Many factors influence these processes , including an organization's level of commitment to security 1 and the type of security management model (SMM) that shapes the security team's structure , dynamics, and responsibilities. What's more, the recent push toward accountable IT governance has highlighted the need for formalized IT security management structures that can meet legislated requirements. For example, the Sarbanes-Oxley Act of 2002 mandates accountable use of IT controls in publicly traded US companies. However, legislation and guidelines for IT governance (such as the IT Governance Institute's " COBIT: Control Objectives of Information and Related Technology " ; www.isaca.org/cobit.htm) have focused on general IT management , without taking IT security spe-cifics into account. 2 Notable exceptions are security standards and guidelines from organizations such as the International Standards Organization/Inter-national Electrotechnical Commission (ISO/IEC) 3 and CERT. 4 The CERT handbook for security incident response 4 presents several SMMs and lists factors that organizations should take into account when choosing one, including the organization's size, security services, available resources, and organizational unit in which IT security professionals are embedded.