The effectiveness of IT security professionals in an organization is influenced not only by the usability of security management tools, but also by the fit of an organization's security management model (SMM). Finding the right SMM is critical and yet can be challenging, as there are tradeoffs inherent with each approach, and the implications of these tradeoffs are not clear. We present a case study of one academic institution that created a centralized security team, but disbanded it in favour of a more distributed approach three years later. We contrast this organization's experiences with expectations from industry standards. We found a number of mismatches between the expected SMM outcomes and the reality of our participants' experiences. While some of these mismatches could be anticipated, as they arose from the case study's organizational characteristics that made it difficult to follow standards precisely, others were the result of unexpected aspects influencing an SMM's impact on the organization.
↧