In an era of ‘as-a-Service’, could security be the next candidate for the treatment? Having came from a client-facing consulting background, my first in-house role has been somewhat of a cultural shock, but also a fantastic learning experience. It’s the first time that I’m within a function which actively consumes resources rather than generates revenue. Statements of Work (SoW) have been replaced with business cases for investments. For many organisations, security is a centralised function designed to protect the organisation and its customers; this makes sense on a number of levels: i) better visibility of the toolsets; ii) centralised location for specialised skillsets; iii) bigger community of users for whom experience can be shared; iv) lower operational and administrative overheads for the organisation as a whole; v) specialised contractual negotiations, leveraging an organisation’s scale.
All appear to be working nicely, so why reinvent the wheel? But my consulting mindset is niggling away at me; does a security function have to be a net consumer of resources? The part of my role which provides the biggest benefit to the organisation and its business units, is that of being an advisor, to teams across the business for which security per se is not their main job function. It feels akin to teaching the teams how to fish, with guidance on which nets and other angling equipment is best for their circumstances, rather than the more reactive approach of trying to give them the fish, the latter of which is also less scalable. The internal security function is in fact providing consultancy services, albeit on an unfavourable cost model!
Cross-charging between different departments is common practice, especially for large organisations which are made up of multiple business units. Having a centralised security function with specialist skills made available through a service-based model makes sense due to efficiencies gained from economies of scale and cross-functional knowledge sharing. Given the importance of security for every part of an organisation, a service-based model and funding structure should provide a more sustainable cost model. Directly or indirectly, every department or business unit will have their own P&L (Profit and Loss). Could moving to a more direct funding structure based on service rendered be a better way forward?