Searching for the Right Fit: A Case Study of IT Security Management Model Tradeoffs

The usability of security systems within an organization is impacted not only by tool interfaces but also by the security management model (SMM) of the IT security team. Finding the right SMM is critical and yet can be challenging, as there are tradeoffs inherent with each approach. We present a case study of one post-secondary educational institution that created a centralized security team, but disbanded it in favour of a more distributed approach three years later. The case study consists of interviews with ten IT staff from across the organization who gave us their diverse perspectives of the realities of managing security in a decentralized post-secondary organization. We contrast this organization's experiences with SMMS with expectations from industry standards and derive organizational factors that impact the success of the models. These factors highlight the importance of considering both the organization's security goals as well as its structure when evaluating potential SMMs. Furthermore, top management support, security policies, and a security team with vested authority, along with the organization's prior security management history, impact the success of a given SMM.