Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Transitioning to a centralized IT shared services model requires establishing well-defined services, service levels, performance metrics and governance. This piece explains how to design a shared services model to serve customers efficiently, effectively,
A shared service center is a customer-oriented business unit that provides a defined set of services at an agreed-on service level. These services are provided to internal customers (i.e., other business units or groups). The service level is measured
by several metrics. The shared service center defines success with a key performance indicator (KPI), which is the one metric most indicative of the shared service’s performance. Concerns are defined by a key risk indicator (KRI), or the one
metric most representative of increasing risk exposures. For example, a shared service may deliver software to the business and be measured on feature velocity (a KPI) and time-to-remediate vulnerabilities (a KRI).
Shared services generally include:
A typical shared services model features:
For example, the Payment Card Industry Data Security Standard (PCI DSS) requires multifactor authentication (MFA). GRC is responsible for PCI DSS compliance and owns the obligation. Security interprets the obligation as multifactor for specific authentications
using a phone-based one-time password (OTP). IT implements and operates products for MFA, which it configures and maintains on the appropriate IT infrastructure. IT provides a metric or other evidence to demonstrate this control’s efficacy.
GRC audits the MFA in collaboration with the PCI DSS qualified security assessor (QSA).
To be effective as a CoE, ideally, the security team and IT team should have the following:
In the above example, the security function is a CoE with no direct-line responsibilities. In some situations, the security team may also provide services as a shared service similar to IT.
The roles for any given security capability or IT service should be defined and agreed on. Use a RASCI matrix to capture the information (see Figure 1 for an example).
The processes for any given security capability or IT service should be defined and agreed on. Consider use a Supplier-Input-Process-Output-Customer (SIPOC) matrix. This exercise enables the team to reimagine IT as a customer-oriented shared service.
To be successful with shared services, organizations should try to avoid:
The time during the transition from traditional IT to shared services IT will be the hardest part of this process. Well-governed security capabilities will apply to well-defined IT services in a CoE. During the transition, however, the security team will
have CoE responsibilities and legacy responsibilities, potentially including managing security operations and IT line duties. Plan for this and, where possible, consider separating the team and duties between CoE and legacy to facilitate change and
To help ensure security is well-positioned to succeed in the shared services environment, consider:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.