Disbanding your security team may not be an entirely dumb idea

Disbanding your security team may not be an entirely dumb idea, because plenty of other people in your organisation already overlap with their responsibilities, or could usefully do their jobs.

That's an idea advanced by analyst firm Gartner's vice president and research fellow Tom Scholtz, who has raised it as a deliberately provocative gesture to get people thinking about how to best secure their organisations.

Scholtz's hypothesis is that when organisations perceive more risk, they create a dedicated team to address it. That team, he said, grows as the scope of risk grows. With business quickly expanding their online activities, that means lots more risk and lots more people in the central team. Which might do the job but also reminded Scholtz that big teams are seldom noted for efficiency.

He also says plenty of businesses see centralised security as roadblocks. “I met one chief security officer who said his team is known as the 'business prevention department',” Scholtz told Gartner's Security and Risk Management Summit in Sydney today.

He therefore looked at how security teams might become less obstructive and hit on the idea of pushing responsibility for security into other teams. One area where this could work, he said, is endpoint security, a field in which many organisations have dedicated and skilled teams to tend desktops and/or servers. Data security is another area ripe for potential devolution, as Scholtz said security teams often have responsibility to determine the value of data and how it can be used, as do the teams that use that data. Yet both teams exist in their own silo and duplicate elements of each other's work. Giving the job to one team could therefore be useful.

He also pointed out that security teams' natural proclivities mean they are often not the best educators inside a business, yet other teams are dedicated to the task and therefore excellent candidates for the job of explaining how to control risk.

Scholtz's research led him to believe that organisations will still need central security teams, but that devolution is unlikely to hurt if done well. Indeed, he said he's met CIOs who are already making the idea happen, by always looking for other organisations to take responsibility for tasks they don't think belong in a central technology office.

Making the move will also require a culture that sees people willing to learn, fast, and take on new responsibilities. Organisations considering such devolution will also need strong cross-team co-ordination structures, plus the ability to understand how to integrate security requirements into an overall security solution design.

Even those organisations who ultimately see such devolution as too risky, Scholtz said, can still take something away from the theory, by using it to ensure that business unit or team leaders feel accountable for securing their own tools. Devolving security can also help organisations identify which security functions have been commoditised and are therefore suitable for outsourcing. ®