A recent analysis conducted by Sophos delved into the relationship between organizational structure and cybersecurity outcomes, shedding light on how the structure of a cybersecurity function can impact the overall security posture of an organization. The study, based on a survey of 3,000 IT/cybersecurity professionals in mid-sized organizations across 14 countries, aimed to identify which organizational structure yields the best cybersecurity results.
The survey participants were categorized into three main groups based on their organizational structure:
– Model 1: Organizations where the IT team and the cybersecurity team are separate entities
– Model 2: Organizations with a dedicated cybersecurity team as part of the IT organization
– Model 3: Organizations where there is no dedicated cybersecurity team, and cybersecurity is managed by the IT team
The analysis revealed that organizations with a dedicated cybersecurity team within the IT organization (Model 2) reported the best overall cybersecurity outcomes. On the other hand, organizations where the IT and cybersecurity teams were separate (Model 1) reported the poorest experiences. This suggests that having cybersecurity and IT operations closely integrated within the same team leads to more favorable security outcomes.
The research also highlighted the importance of having the right cybersecurity skills and capacity within the organization. While organizational structure plays a role in cybersecurity outcomes, having the necessary expertise is crucial regardless of the structure. Organizations lacking in-house cybersecurity capabilities may benefit from partnering with specialized third-party cybersecurity providers to enhance their defenses.
The analysis compared the experiences of the three organizational models across various areas, such as the root causes of ransomware attacks, ransomware recovery, security operations delivery, and day-to-day cybersecurity management. One interesting finding was that the reported root causes of ransomware attacks varied depending on the organizational structure, with different models experiencing different vulnerabilities.
Model 1 organizations were more likely to pay ransoms and reported lower rates of backup use for data recovery, while Model 2 organizations fared best in security operations delivery. However, all three models faced similar challenges in day-to-day cybersecurity management, with common concerns around advanced cyber threats, data exfiltration, phishing, and security tool misconfigurations.
It is important to note that the analysis focused on correlation rather than causation, and further research is necessary to understand the reasons behind the outcomes. Factors such as industry sector, team skill levels, staffing, and organizational age can also influence cybersecurity outcomes.
Overall, the findings of this analysis provide valuable insights into how organizational structure can impact cybersecurity outcomes. By understanding the relationship between structure and security results, organizations can optimize their defenses and better protect against evolving cyber threats. Further research in this area can help organizations leverage their internal structure to enhance their cybersecurity posture and stay ahead in the ever-changing cybersecurity landscape.