What Does a Security Program Look Like?

Security Program in Common Organizations

Let’s begin with what is the difference between using the term cyber versus information security program. There is absolutely no difference other than the term “Cyber Security Program” is becoming more popular than “Information Security Program”.

People like me that have been in this game for a long time, often still use Information Security Program as a force of habit. The rest of this article series will use the term “Cyber Security Program” as a testament that even old dogs can learn new tricks.

How is Security Defined in an Organization?

A Cyber Security Program is a system for protecting the confidentiality, integrity, and availability of information within a business.

In most organizations, there are generally two groups that may or may not be related that will call themselves the security group.

  1. Physical Security Group: The first security group will be charged with protecting the physical building and the people within it. Essentially, the security guards.
  2. Information Security Group: This group (note it is still not called cyber security group in most organizations….yet), will be charged with protecting the information within an organization. Our focus for the rest of this series is with this group or the one that will be responsible for the cyber security program. Once you have found the group, the next piece will be to understand who is generally charged with running this group in the common organization.

Related Topic: How is Security Defined in Many Organizations

Who Leads the Information Security Program?

In most organizations, the information security program will be led by the Chief Information Security Officer or CISO. This job is often also called the mgr., deputy director, director or vice president of information security.

Other Common Information Security Group Roles
You have found the group, its leader, and you are ready to understand some common roles on the cyber security team. Here goes:

Security Architect – This role is generally charged with managing the technical preventive and detective safeguards and how they interoperate with each other within an organization. Preventive safeguards prevent security events from happening while detective safeguards detect when security events occur. Locks on doors are an example of a preventive safeguard while video recording is an example of a detective one. A security architect is generally charged with managing how these safeguards all work together to meet security program objectives.

Security Engineer- While security architects operate at the forest level, security engineers operate at the tree level. They are responsible for managing and operating a specific preventive or detective technology.

An example would be the management of a firewall or logging technology. To learn more, in a recent article that was published on the Channel Co, I discussed in details the Top 5 Tips for any Security Technology Purchase.
Security Analyst- A security analyst is commonly responsible for managing research and performance of common tasks associated with security processes. We will discuss these processes more in the future but for reference, they are common items like risk, incident, security policy, or vulnerability mgmt. processes.

Related Topic: 2017: The Year of Security Program Development

Alright, hopefully, this gets you moving in the right direction with understanding what a cyber (information) security program is. In the next article in this series, we will look at common documentation found with the common cyber security program.

Mike Gentile

CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles