Hi, I'm Matthew Clark and this is less than 2.4 sip. So reporting structures, part one.
In this lesson, we will look at lines of defense and possible places. Toe have the sip, so report into So let's get started.
A discussion with force episodes from Honeywell, Schneider Electric G and Rockwell Automation at the 2020 RSA event outlined this concept of lines of defense.
The length of their discussion is in the resource is section, and these were four highly intelligent individuals, and I completely recommend that you listen to that
held on that the first line of defense is the business line or, in other words, the engineering organization,
the individuals that are closest to the product, the ones that are responsible for implementation of products, security controls. This is where security either happens or it doesn't.
The second line of defense is the enterprise operations. They're responsible for ownership of the product security program, developing the strategy in establishing controls to bring residual risk in line with risk tolerance.
The third line of defense is internal audit.
They're responsible for verifying control. Implementation and operation are in line with control design
and that controls air designed appropriately to mitigate risk to acceptable levels.
The fourth line of defense is the board and senior management, and they're responsible for establishing risk appetite, driving the security culture, board oversight or broad oversight and, uh, service the final escalation point. They're also the ones that own products security risk
this charts helpful in framing that discussion of where the sips opposition should reside. If the Simpson is focused solely on the first line of defense responsibilities, then it probably makes sense for them to report into the engineering function.
If their responsibilities reside in the second line of defense,
then it matters less about where they said,
and generally the sip so will be responsible for both the first and the second lines of defense.
The reporting position of the sip so could have significant impact on her ability to influence products security.
Let's discuss some of these potential reporting lines, knowing that every organization is different
when the sip so reports into the board or the CEO that makes a bold statement of priorities.
Those several positives with this the position will maintain independence from the CTO or the sea so
and it will allow for some frank conversations about risk.
The sip so we'll have toe will have, ah, high ability to influence product lifecycle decisions. It will be able to drive security messages. Certainly this will make the sip. So a security crusader.
The downsides. Unfortunately, that's probably a lot.
While it's a high priority, cybersecurity is not usually central to the CEO's responsibilities.
It might make sense, maybe in some businesses or product. Security is so important that it's part of the business strategy objectives.
But then it still might make sense. Toe. Have it fall under another role, such as the CTO
CEOs. Attention can also can Onley be subdivided so many times?
If the position reports to the board, then someone from the board will need to manage that relationship. You know, this is an interesting but highly unlikely proposition, at least in the foreseeable future for sips owes.
But someone always likes to bring up this possibility. He always hear that the sea so should report the CEO on board. So we figured we'd cover that for the sip, so as well,
reporting into the chief technology officer or CTO
now, historically, the head of product security probably comes from the engineering or R and D organizations and most companies. It's a function most likely that arrived because of a natural organizational growth. There is a need, and someone steps up, feels that need and their responsibility grows over time.
A sip so needs to spend time with engineers, building the product security program, getting their trust and buy in and impacting security and usability of the end products.
It's not enough just to have the program, but the program has toe work, and for that to happen, there needs to be interaction between the sip. So's organization and the engineering organization,
especially for smaller organizations. Smaller companies
reporting to the CEO probably set those expectations very well.
Frankly, the CTO does need to hear about how products security is developing not just a bill, better confidence in the program or to weigh in on larger decisions, but because security can usually be leveraged as a product differentiator. You know, position correctly, security can be a selling point.
No, there downsides. Of course there are.
This arrangement can will naturally bring conflict. The CTO is responsible for getting products shipped on time and on budget, and security adds complexity and complexity adds time and cost.
And so the sip so would report into a guy who is constantly working with everyone else and his team to reduce time and cost, except for this one girl, the sip. So
who keeps throwing water in all of this great ideas? Of course. She's probably using the yes and technique that we already just talked about, and she's careful never to let know be the very first thing, she says. But sometimes she has to be the voice of reason, the conscience of the company, so to speak.
And this is akin to having the sea. So report to the CEO.
It makes sense until you think about it. You realize that maybe it doesn't make sense, at least not in every organization,
because usually it's a source of conflict of interest.
But to be absolutely fair, this does work. Don't get me wrong. This reporting arrangement works, but then so does every reporting arrangement. If you have the right people involved and they're aligned,
that's it. For this lesson and review, we discuss the lines of defense, including the Business Line, the Enterprise Operations Line, Internal Audit and Borden Executive Management.
We also looked at possible places to have the sips of report into, including the CEO of board and CTO. Join me in my next lesson when we discussed the other possible areas, That's a sip so can report into I'll see you next time.