Security Governance, Management and

Operations Are Not the Same

FOUNDATIONAL Refreshed: 14 June 2018 | Published: 23 January 2013 ID: G00235293

Analyst(s): Rob McMillan, Tom Scholtz

Organizations sometimes confuse IT security governance, security

management and security operations, leading to performance failure,
conflict of interest and organizational dysfunction. This research clarifies the
distinction to help clients position and align these functions.

FOUNDATIONAL DOCUMENT
This research is reviewed periodically for accuracy. Last reviewed on 14 June 2018.

Key Challenges
■ Security governance, management and operations have very different functions. In the absence
of a formally documented model, the demarcation is not always obvious. However, clarity is
fundamental to the performance of each.
■ Part of the role of a security governance forum is to ensure that business and security
processes have sufficient internal segregation of duties (SOD) to avoid a conflict of interest.
■ In the absence of a business context, security management and operations teams may well be
doing what they believe to be the "right" things, but what could, in fact, be wasting effort and
delivering against the wrong requirements.

Recommendations
■ Focus on business outcomes by establishing a security governance forum that does not
become mired in operational issues, but gives direction and oversight.
■ Develop clear, documented descriptions of the function of the security governance,
management and operations layers.
■ Ensure that the security governance forum itself has sufficient separation from security
management and security operations so that a conflict of interest is avoided.
 Table of Contents

Introduction............................................................................................................................................ 2
Analysis.................................................................................................................................................. 2
Focus on Business Outcomes by Establishing a Security Governance Forum That Does Not
Become Mired in Operational Issues, but Gives Direction and Oversight...........................................2
Develop Clear, Documented Descriptions of the Function of the Security Governance, Management
and Operations Layers..................................................................................................................... 3
The Role of Information Security Governance............................................................................. 4
The Role of IT Security Management.......................................................................................... 6
The Role of IT Security Operations..............................................................................................6
Ensure That the Security Governance Forum Itself Has Sufficient Separation From Security
Management and Security Operations to Avoid a Conflict of Interest................................................ 8
Recommended Reading.........................................................................................................................8

List of Figures

Figure 1. Illustrative Organizational Demarcation Between Information Security Layers............................4

Introduction
"Security governance," "security management" and "security operations" are broad terms
describing interrelated functions, and Gartner provides a wide range of research to bring these
topics into focus. Members of governance committees must understand the salient differences
between them in order to avoid dysfunction and meet business and IT goals.

The purpose of this analysis is to provide clear guidance on the distinction between these three
layers. It is not intended to give a comprehensive description of all aspects of each layer.

Analysis
Focus on Business Outcomes by Establishing a Security Governance Forum That
Does Not Become Mired in Operational Issues, but Gives Direction and Oversight
There is no single universal model for organizational structure to ensure that the information and IT
security ("security") requirements of any given organization are adequately met.

Broadly speaking, the demarcation is as follows:

Page 2 of 10 Gartner, Inc. | G00235293

 ■ Security governance exists to ensure that the strategic requirements of the business are defined
and that the security program adequately meets those requirements. This may include
discussing and adjudicating between business needs in complex situations.
■ Security management builds and runs the security program to meet these strategic business
requirements. This incorporates the various security functions, processes and tactics that make
up the security program.
■ Security operations execute security-related processes relating to current infrastructure on a
day-to-day basis.

Each of these layers must engage with corresponding layers throughout the enterprise.

Security management and security operations staff must have an awareness of the goals of the
business, but be expert in the delivery of the security processes that support those goals. This is
true whether security functions, including operational functions, are insourced, outsourced or a
blend of both.

Conversely, business representatives must be able to clearly articulate what they need from IT
security management and security operations, without having to have detailed knowledge of the
technology and the processes. The responsibility for articulating these requirements and ensuring
that they are met lie squarely at the feet of the business, regardless of operational arrangements.

For each to understand the other, a security governance forum must exist within which the
conversations to ensure performance, manage risk and resolve issues can occur. To avoid a
dysfunctional forum, it is necessary to have a clear understanding of the distinctions among security
governance, security management and security operations, and how they should interact.

It is important that the charter for the security governance forum is clear, whether the domain it will
govern is just IT security, which can be considered to be the platforms and operational processes of
the organization, or information security, which may be considered to be all information in
electronic, physical (paper) or ephemeral (such as voice) form.

Gartner recommends adopting the broader information security forum approach (see "Information
Security and Risk Governance: Forums and Committees"). This research will be based on this
approach, with the focus area being the IT security component at the management and operations
layers.

Develop Clear, Documented Descriptions of the Function of the Security

Governance, Management and Operations Layers
Figure 1 depicts the demarcation between information security governance, management and
operations.

Gartner, Inc. | G00235293 Page 3 of 10

 Figure 1. Illustrative Organizational Demarcation Between Information Security Layers

Security Governance
(Example only)
Purpose: Ensure that high-level business requirements
are defined, adequate and met.
Chair and Sponsor:
Chief Risk Officer
Members:
Head of Research
Head of Manufacturing
Head of Distribution
Chief Information Officer
Head of Security
Chief Legal Officer
Head of HR
Chief Information Security Officer

Chief Information
Security Officer

Security Management
(Example only)
Purpose: Ensure that security functions are adequately
resourced and executed to meet business requirements.
Functional Leader:
Chief Information Security Officer
Members:
Manager, CSIRT
Manager, Policy and Compliance
Manager, Relationship and Vendor Management
Manager, Security Assurance
Manager, Security Consulting
Manager, Security Platform Operations
Manager, Security Reporting

Manager Manager

Security Platform Operations IT Operations

Purpose: Perform specialized security functions, such
as build, maintain and run security platforms (e.g.,
vulnerability-scanning infrastructure, firewall
configuration).
Functional Leader:
Manager, Security Platform Operations
Team:
Relevant security professionals
Purpose: Perform IT operations that have a security
implication (e.g., identity provisioning, change
management, server patching).
Functional Leader:
Relevant IT Operations Line Manager
Team:
IT professionals with security-oriented roles

Source: Gartner (January 2013)

The Role of Information Security Governance

Information security governance (ISG) can be defined as "the processes that ensure that reasonable
and appropriate actions are taken to protect the organization's information resources, in the most

Page 4 of 10 Gartner, Inc. | G00235293

 effective and efficient manner, in pursuit of its business goals" (see "Introducing the Gartner
Information Security Governance Model").

Some principles inherent in this definition are:

■ ISG processes are decision-making and oversight processes (they "ensure"), not "execution"
processes.
■ The overriding objective is the attainment of business goals, not IT goals.

The role of the chief information security officer (CISO) within ISG is to work closely with senior
executives, line-of-business managers, the IT organization, and others to establish an effective
governance framework and meaningful risk assessments; support the delegation of authority to the
security function via a charter; support effective enterprise risk management; and support the
establishment of measurable controls that map to all relevant regulations and standards.

Representatives on the ISG forum should include midlevel to senior-level management from lines of
business, audit, risk, IT and corporate security (such as fraud, protective security and crisis
management). In a large enterprise, a forum of around 10 people would be reasonable.

The ISG forum is a critical component in setting the overall direction of the security program
implemented by the CISO, taking into account the strategic needs of the business, the risk appetite
of the organization, other non-IT and information security issues (such as physical and personnel
security), and broader IT and information initiatives beyond the security realm.

The responsibilities of an ISG forum should include:

■ Establishing and maintaining effective lines of accountability, responsibility and authority for
protecting information assets
■ Acting as a steering committee for the information security program, including making or
approving the final resource allocation decisions for the annual strategy plan.
■ Acting as a steering committee for projects that require significant business unit involvement
(for example, data loss prevention — some examples of how to do this are provided in the
Recommended Reading)
■ Tracking the progress of remediation on risk items (for example, audit report findings)
■ Reviewing metrics reporting, and requesting new metrics, if required
■ Monitoring operational performance
■ Providing a forum for the CISO to guide localized security efforts within individual business units
via ISG committee members
■ Acting as a mediation or arbitration forum for reconciling conflicting security requirements
between different organizational entities

Gartner, Inc. | G00235293 Page 5 of 10

 The Role of IT Security Management
This is the implementation of the security program governed by the ISG committee.

Led by the CISO, or an equivalent role, the security management draws together a range of security
activities, including, but not limited to:

■ Management of the security program and associated strategic planning

■ Security policy development and implementation
■ Security architecture, both enterprise and solutions
■ Security awareness and education campaigns
■ Projects to implement new security infrastructure
■ Security guidance for nonsecurity projects
■ Security operations (see the section below: The Role of IT Security Operations)
■ Security testing and assurance

All these activities are likely to be conducted in conjunction with other teams. For example, a
security architecture role may exist as a direct report to the CISO, and work as part of a virtual team
in conjunction with a broader enterprise architecture community, or alternatively, an enterprise
architecture team may have a "dotted line" reporting relationship to the CISO. This effectively results
in a matrix approach to security in modern organizations.

The CISO, and indeed other layers within the security management team, must not only be an
expert in his or her field, but also have other skills, such as business, risk, communication and
negotiation skills. This is consistent with the evolving requirements of risk roles more generally (see
"Meeting the Information Needs of the Chief Risk Officer in 2023").

While some security decisions are likely to be reached through a directive approach, in many cases,
they may alternatively be reached through negotiation and consensus among several parties. This
approach is discussed in more detail in "Gartner for IT Leaders Overview: The Chief Information
Security Officer."

The Role of IT Security Operations

Security operations are the day-to-day activities intended to mitigate IT security risks at the
operational level. Although the purpose of the role is generally consistent among different
organizations, the types of activities that the role performs may vary.

Examples of functions that the IT security operations team may perform include the list below (see
"The Security Processes You Must Get Right").

■ Monitoring — including native consoles, security information and event management,

correlation tools, and other analysis tools that watch for threats, vulnerabilities or environmental
changes that affect risk

Page 6 of 10 Gartner, Inc. | G00235293

 ■ Implementing configuration changes on some platforms in conformance with change
management and control
■ Deploying patches for security products
■ Providing input on the deployment of patches for nonsecurity products, and making
recommendations as to when out-of-cycle patches are required
■ Implementing and monitoring vulnerability management processes and technologies, and
assessing the enterprise's vulnerability state
■ Liaising with the IT organization to evaluate and implement effective security technologies and
architecture
■ Monitoring the environment for threats and vulnerabilities
■ Keeping current on changes to the threat and vulnerability landscape
■ Providing input on enterprise security policies, and developing security operations procedures
■ Developing, maintaining, monitoring and implementing the technical security architecture
■ Complying with security service-level agreements (SLAs)
■ Acting as the primary operational interaction, performance and SLA compliance-monitoring
contact for any managed security service providers (MSSPs) used by the enterprise, and
monitoring the MSSP's portal
■ Planning and participation in response to incidents
■ Liaising and integrating with other IT operations and service management processes (such as
problem management and configuration management) as appropriate
■ Provisioning and deprovisioning of digital identities and access rights

The activities are a subset of the responsibilities and activities met by the broader IT security
organization, as described in the previous section, The Role of IT Security Management.

One of the key areas on which the ISG forum may need to focus is the balance between roles
performed by security and IT operations. Some security functions may, over time, transition from IT
security to IT operations. A detailed discussion is provided in "Gartner for IT Leaders Overview: The
Chief Information Security Officer."

Some of these functions may be executed by the IT operations team under change control, with
security operations acting as a member of the change control board (thus, an approver).
Furthermore, security operations could act in a verification role by confirming implementation of the
patch or, alternatively, removal of the security risk it addresses through results from a vulnerability
scanner.

Gartner, Inc. | G00235293 Page 7 of 10

 However, principles such as SOD require that not all security functions should be transitioned, such
as monitoring the use of privileged access. This is a delicate balance requiring mature processes
and a clear understanding of potential conflicts of interest.

Ensure That the Security Governance Forum Itself Has Sufficient Separation From
Security Management and Security Operations to Avoid a Conflict of Interest
The integrity of the security program depends, in part, on the avoidance of conflicts of interest. This
is achieved through a separation of duties regime. Establishing such a regime is difficult to do well,
but it is critical for ensuring the integrity of a policy compliance regime and can be the subject of
detailed auditor scrutiny.

One technique for implementing SOD is through a matrixed organizational (dotted-line) reporting
model, as discussed earlier in this research. This ensures that sensitive roles are exposed to
multiple reporting lines.

Another important tool in implementing SOD is the adoption of a disciplined, process-based

approach to security management, including security operations. This approach would incorporate
the development of responsible, accountable, consulted and informed (RACI) charts to define roles,
responsibilities and decision authority, and also the development of formal process flows using
cross-functional flowcharts to model the flow of decision data and outcomes. Linking formally
defined roles to individual users can also support this movement toward a more clearly defined
process-oriented approach.

The ISG forum is perfectly positioned to ensure that adequate SOD safeguards are in place. By
incorporating representatives from each layer of a three-layered assurance model into the ISG
committee membership, that forum can ensure that each layer is working cohesively, and resolve
issues as they arise (see Note 1).

Recommended Reading
Some documents may not be available as part of your current Gartner subscription.

"Introducing the Gartner Information Security Governance Model"

"Information Security and Risk Governance: Forums and Committees"

"Information Security and Risk Governance: Functions and Processes"

"Gartner for IT Leaders Overview: The Chief Information Security Officer"

"Information Security Organization Dynamics"

"Collaborating for Effective Security Architecture"

"Meeting the Information Needs of the Chief Risk Officer in 2023"

Page 8 of 10 Gartner, Inc. | G00235293

 "Best Practices for Designing an Effective Information Security Organization"

"Entitlement Life Cycle Management: The Evolution of Role Life Cycle Management"

"The Security Processes You Must Get Right"

"Best Practices for Data Loss Prevention: A Process, Not a Technology"

"Toolkit: Data Loss Prevention Project Charter"

Evidence
This research is based on 39 client inquiries on the topics of security governance, organization and
operations conducted between 1 September and 30 November 2012.

Note 1 Three-Layered Assurance Model

A three-layered assurance model is an approach for ensuring that risk is adequately managed. For
example, the IT security management function may act as Layer 1 assurance to ensure that the right
activities and decisions occur on a day-by-day basis. Operational risk acts as Layer 2 assurance,
taking a broader operational risk perspective to ensure that security risk processes are adequately
followed and that risk decisions are appropriate. Internal audit acts as a Layer 3 function to formally
assess the system to advise the board audit committee whether it is acting reliably and consistently
with the desired risk appetite. External audit would then rely on these findings to a lesser or greater
extent.

Gartner, Inc. | G00235293 Page 9 of 10

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Gartner Usage Policy posted on gartner.com. The information contained in this publication
has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the
opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject
to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may
include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include
senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or
influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see
“Guiding Principles on Independence and Objectivity.”

Page 10 of 10 Gartner, Inc. | G00235293