This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CISO AppSec Guide: People and Organisation"
m (→V-2 Organisation) |
|||
Line 10: | Line 10: | ||
== V-2 Organisation == | == V-2 Organisation == | ||
+ | === Organisation Structures Variance === | ||
+ | |||
+ | In order to analyse what would be good and effective organisation structures, it is useful to analyse the different dimensions of various best practices and their success criteria, strengths and weaknesses. | ||
+ | Organisation Structures can vary greatly from one organisation to the other. And further reviews did show that even if functions my carry the same name, they may still not actually carry the same responsibilities, capabilities or capacites. | ||
+ | |||
+ | Such criteria for organisational structures can be based on | ||
+ | * historical reasons (e.g which department first started to care about Security or simple political calculations). | ||
+ | * company culture (what organisational structure fits best with the company culture) | ||
+ | * individual leader’s abilities and preferences (often if some department leader has a background in one specific area, that may be randomly added into the security functions and equally if the leader is sceptical about some areas, he may decide to leave such functions separately... | ||
+ | |||
+ | === Frameworks: Organization Design Principles === | ||
+ | |||
+ | Synergies | ||
+ | * Maximise synergies with related functions | ||
+ | * Customer Value | ||
+ | * Avoid conflicts of interest | ||
== V-3 People and Education == | == V-3 People and Education == |
Revision as of 21:28, 18 August 2016
< Back to the Application Security Guide For CISOs
Part V: People and Organisation
V-1 Executive Summary
After setting up the program, strategy, risk management and policies, let's turn to the people and the organisational structures that can support and enhance the Application Security Strategies.
V-2 Organisation
Organisation Structures Variance
In order to analyse what would be good and effective organisation structures, it is useful to analyse the different dimensions of various best practices and their success criteria, strengths and weaknesses. Organisation Structures can vary greatly from one organisation to the other. And further reviews did show that even if functions my carry the same name, they may still not actually carry the same responsibilities, capabilities or capacites.
Such criteria for organisational structures can be based on
- historical reasons (e.g which department first started to care about Security or simple political calculations).
- company culture (what organisational structure fits best with the company culture)
- individual leader’s abilities and preferences (often if some department leader has a background in one specific area, that may be randomly added into the security functions and equally if the leader is sceptical about some areas, he may decide to leave such functions separately...
Frameworks: Organization Design Principles
Synergies
- Maximise synergies with related functions
- Customer Value
- Avoid conflicts of interest