InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Transitioning to a centralized IT shared services model requires establishing well-defined services, service levels, performance metrics and governance. This piece explains how to design a shared services model to serve customers efficiently, effectively,
A shared service center is a customer-oriented business unit that provides a defined set of services at an agreed-on service level. These services are provided to internal customers (i.e., other business units or groups). The service level is measured
by several metrics. The shared service center defines success with a key performance indicator (KPI), which is the one metric most indicative of the shared service’s performance. Concerns are defined by a key risk indicator (KRI), or the one
metric most representative of increasing risk exposures. For example, a shared service may deliver software to the business and be measured on feature velocity (a KPI) and time-to-remediate vulnerabilities (a KRI).
Shared services generally include:
A typical shared services model features:
For example, the Payment Card Industry Data Security Standard (PCI DSS) requires multifactor authentication (MFA). GRC is responsible for PCI DSS compliance and owns the obligation. Security interprets the obligation as multifactor for specific authentications
using a phone-based one-time password (OTP). IT implements and operates products for MFA, which it configures and maintains on the appropriate IT infrastructure. IT provides a metric or other evidence to demonstrate this control’s efficacy.
GRC audits the MFA in collaboration with the PCI DSS qualified security assessor (QSA).
To be effective as a CoE, ideally, the security team and IT team should have the following:
In the above example, the security function is a CoE with no direct-line responsibilities. In some situations, the security team may also provide services as a shared service similar to IT.
The roles for any given security capability or IT service should be defined and agreed on. Use a RASCI matrix to capture the information (see Figure 1 for an example).
The processes for any given security capability or IT service should be defined and agreed on. Consider use a Supplier-Input-Process-Output-Customer (SIPOC) matrix. This exercise enables the team to reimagine IT as a customer-oriented shared service.
To be successful with shared services, organizations should try to avoid:
The time during the transition from traditional IT to shared services IT will be the hardest part of this process. Well-governed security capabilities will apply to well-defined IT services in a CoE. During the transition, however, the security team will
have CoE responsibilities and legacy responsibilities, potentially including managing security operations and IT line duties. Plan for this and, where possible, consider separating the team and duties between CoE and legacy to facilitate change and
To help ensure security is well-positioned to succeed in the shared services environment, consider:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
May 19, 2022
By IANS Faculty
Understand potential security risks for executives on social media. Find information on attack trends and guidelines to help identify potential attacks and keep both social media accounts and the organization secure.
May 17, 2022
Learn how to make progress with zero trust, including common zero trust use cases, success stories, tooling guidance and tips for effectiveness.
May 12, 2022
Gain an understanding of the role executives play in incident response (IR). Find guidance on key actions to take before, during and after a security incident.