Within bigger organizations there are several persons dealing with security on a daily basis. Unfortunately most of them are still working on their own small islands, resulting in lack of alignment between the different teams.
For optimal coverage of security within the organization, it’s good to know which people are actually available and working on have what kind of activities. Examples of “security leaders” are:
- CIO (Chief Information Officer)
- CISO (Chief Information Security Officer)
- CRO (Chief Risk Officer)
- CSO (Chief Security Officer)
- IT Auditor
- Security Administartor
- Security Engineer
- Security Manager
- Security Director
Now we have some feeling for what people are there to support the bigger security program, it is helpful to document their roles and responsibilities. Since they people are usually also the best trained to deal with (serious) security incidents, this input is also useful for creating your virtual team (e.g. Computer Security Incident Response team (CSIRT)). Contact details and where appropriate telephone numbers should be added, so when an event occurs, the right persons, or persons, can be informed.
Describing the roles and responsibilities are best done on a central location, which is linked or stored close to the internal security intranet pages. If possible these people could be tagged within the corporate directory (e.g. a people finder, employee directory) as being a security related contact. With a smart filter these people can be displayed near to the other security relevant information for a quick overview. Please note that this does not replace a role and responsibilities matrix, but makes it at least easier for security people to find their peers within the organization.