CPSO Reporting Structure Part 3

00:00

Hi, I'm Matthew Clark, and this is less than 2.6 sip. So reporting structures Part three.

00:08

In this lesson, we'll look at the sip so organizational structure and ask ourselves the question.

00:13

What should the typical sip so organization look like?

00:18

And we'll discuss what works for most organizations. So let's get started.

00:24

So what does this ipso organization look like? Well, it would be different for every organization, but in general terms, you're gonna have individuals, such a security engineers and security managers, depending on the size of the organization.

00:39

So security engineers, for example, could be over three or four different product lines.

00:45

They could have a dotted line to the CTO and a solid line to the sip sewed security manager. Or it could be reversed.

00:52

Security managers, on the other hand, manager group of security engineers. And they will be concerned with product lines within a specific business portfolio.

01:02

They could manage 3 to 5 different security engineers

01:06

and have a dotted line to the CTO or and a solid line to the sip. So

01:11

so, who are The Simpsons? Direct reports?

01:14

Well, in a smaller organization, you just might find a one man show where the chief product security officer is is the department. You know. They're everything to everyone

01:25

in a larger organization. You might find that their security engineers assigned to different product lines and it might not be a full time job for an engineer to be assigned to a single product line, but they might be spread out

01:37

and well established programs operating in large organizations. You're probably going to see ah layer of management with security managers that air managing multiple security engineers on Ben. They're probably going to be some type of matrix organization or dotted reporting line into engineering. Aziz. Well,

01:55

thio facilitate communications,

01:57

But again, it could be anyway. And lots of different organizations, um, handle things differently. No two organizations are alike,

02:07

regardless of how

02:14

we're going to stay high level in our discussion, because so much depends on the individual needs of the organization. And there's no such thing as a one size fits all approach.

02:24

So let's start our discussion with security engineers.

02:28

The most important and vital attributes for a security engineer is to be embedded within those engineering and R and D teams.

02:37

Sure, they need to have a strong technical knowledge, and they need to know about cybersecurity, and they need to have strong interpersonal skills and communication skills, which we'll talk about all about in a minute. But the most vital attribute is that they're there with the engineering teams

02:53

because they need to achieve a high degree of interoperability between those teams.

02:58

These are the people that will be doing the heavy lifting,

03:01

so they need to have a strong technical knowledge, both of engineering and cyber. On the engineering side, they need to understand product architectures and design because actual product security happens there

03:14

on the cybersecurity side, they'll need to understand things like incident response. When things go wrong, can they present a calm influence? Can they use project management management skills?

03:25

Can they make sure? Can they be the one to make sure that the right people are focusing on the right issues at the right time?

03:34

Security frameworks? Are they reinforcing the organization's chosen security framework?

03:39

Are the ensuring proper security design principles are being applied?

03:45

Can they act as an interface between the engineering world and the cybersecurity world, for example, not just by saying you shouldn't have cross site scripting

03:53

but taking the time to explain why cross site scripting is bad and suggesting how to fix it.

04:00

They do need strong interpersonal skills as well. This is a technical role, but it's also about relationship building.

04:06

It can't be seen as a Mr No and need to be able to use techniques such as the yes and technique.

04:14

It's also about communication. This role needs to be able to articulate why a certain decision would be good or bad for security.

04:21

And they need to be able to funnel up risk findings up to the higher levels within the organization. Outside of the classical Engineering

04:30

Focus,

04:35

which takes our discussion to the security managers

04:40

and the security managers air several skills and abilities that air absolutely vital. The first one is leadership skills. The security manager needs to have strong organizational and analytical and problem solving skills.

04:54

He also needed to be a strong project manager

04:56

and of course, demonstrate empathy and listening skills and persuasion.

05:01

They need to also have strong technical knowledge both in the engineering and cyber realm. But this is less important as a leadership skills are.

05:11

They need to be able to understand product architecture and design and know that cyber security is just not done in a vacuum.

05:17

They need to be able to ensure that security standards and practices flow across all the products

05:23

and multiple where multiple security engineers will be reporting into them about multiple product lines they need. Their technical knowledge will be important, but their leadership and being able to manage issues across product lines is going to be more important

05:36

on the cybersecurity side. They're going to need to know compliance and privacy and frameworks and things of encryption and how Ola's forks and as well as incident management.

05:47

They only need also have strong risk management skills, their ability to translate risk tolerance levels and making proper risk mitigations decisions and how to handle risk acceptance. They're gonna be vital for their ability to be successful within the organization.

06:02

They also will need to know how to work with others on how to set up set risk tolerance levels and to be able to handle tough decisions like, What do you do in the business? Says we'll just accept that big bad risk there and let's just move on.

06:17

The security manager also need to be able to conduct meaningful risk assessments, which is usually easier said than done.

06:26

And again, they also need to be a strong communicator because this is the person that will get the squeeze between the business and the cyber

06:39

for what works best.

06:41

The answer is, it depends.

06:43

De Hawk, the founder of Visa, said simple, clear purpose and principles give rise to complex, intelligent behavior.

06:51

Complex rules and regulations give rise to simple, stupid behavior.

06:59

The most important factor is that people and organizations are set up in positions that enable them to be successful.

07:06

Eliminating the obstacles and unnecessary reporting lines that that dictate communication paths,

07:14

um, can help people become a lot more effective.

07:17

The sip. So role needs to be in a position where it can coordinate with the C suite

07:21

and ultimately briefs the CEO and board alongside the C so on cyber issues they need to be buried in.

07:30

In reality, this position could be successful regardless of where it's positioned. As long as people have the right mindset,

07:39

being effective means being seen

07:42

part of being the in crowd,

07:44

being the person that people think, Oh, we should invite this individual because they can help us to this meeting

07:50

is that and that's so much better than them saying, Oh, I guess we should see. See the security guy on this just in case

07:58

there's a balance between being buried in correspondent CC'd on everything. So people are doing C Y A

08:05

and being proactively included

08:07

when you're seeing is bringing value to a discussion. People are quick to add you and this. So this position is more than just the hard skills.

08:16

There's no such thing as the right reporting structure. This is a judgment call based on senior leadership,

08:22

you know, and also based on a multitude of factors.

08:26

Senior leaderships, intention and direction and focus can affect it as well as existing products, product lines, business models and future business plans,

08:37

as well as existing people on their skills and capabilities, plus existing processes and technology and a whole wealth of all these other factors.

08:46

What works best for one company might not work for another one, even though they're in the same industry.

08:52

So the right answer to that question is, Do what works.

08:56

I'm sure that there are a lot of consulting companies out there that would love to fill up your counter chatting you up and building you for their time.

09:07

Okay, This is the closest toe Lord business from the Lego movie. As I could find in stock photos.

09:15

At the end of the day, there are no right answers. In fact, there could be many different shades of right or wrong answers, but that's leadership

09:24

living in the gray.

09:24

But it's less about Lord business than it is about building cohesion and unity and purpose.

09:31

I have personally been successful, and many of the roles that I've had in my career, in part because I've tried to reach across to others to tear down the silos, tried to be a little bit of more open than maybe I was in the past. And that's never easy.

09:46

But if you're in senior management or if you own the business, then isn't that the type of behavior that you would kind of want

09:54

from the people that you have working with you?

09:56

And sometimes this is difficult in organizations is never have never tried or had to work across different political lines. So just kind of keep that in mind,

10:07

Um, and also remember that you could be a leader without ever having a single person report to you and you could be a follower and still have legions of underlings waiting for your permission toe act.

10:24

Well, that's it for this lesson. In summary, we talked about The Simpsons organization.

10:28

We included security engineers and security managers in our discussion.

10:33

And remember, there's nothing wrong with being a one man team,

10:37

and there's trade offs in any type of configuration that you make.

10:41

We discussed what works in the real world, and we gave that classic seats of response to our answer.

10:48

What works for most organization, which is it depends.