Mini-Management for Cyber Software Inc - Case Study Example

Introduction

Cyber Software, Inc is a medium size firm that deals with the development of cyber software protection products. The company has been on a steady rise, posting an after tax profit of 10 million dollars per annum. The major clients of the company are the state and federal governments. Due to the lack of preparedness, the company became a victim of a recent hack which saw credit card information of its clients being used to pay for parking tickets, sewer, pay water and real estate tax. The incident marked a turnaround for Cyber Software, Inc as it leads to the institutionalization of measures to mitigate such an incident in the future and thus make the business operations safer. Apart from the realization of the need to change the vision and mission, Joseph Jackson, who is the CEO of the company, institutes two separate departments that were tasked with new program development, and victim cleans up and damage control. After one year, the new departments were deemed ineffective and this because of the lack of an efficient organizational structure. The section that follows diagnoses the problem and comes up with effective policy guidelines and structure that can be adopted by Joseph Jackson.

An organization must be well equipped and structured so as to establish a fast and efficient means of responding. The efficiency in detecting and successfully analyzing an attack can significantly limit and lower the cost of recovery. In a computing environment, an essential aspect of security is response time and the efficiency of response. The best to achieve the two aspects is to establish formal organizational structures that can deal respond to incidents and avert those than can be averted (Thomas, 2002). The most effective, tried and tested means is through the establishment of a Computer Security Incident Response Team (CSIRT) (Thomas, 2002). Establishment of the team is a long term strategy, especially given that over time, the team develops an understanding of intruder trends and attacks and thus from this come up with efficient methodologies to avert any attacks.

Implementation of a CSIRT is key to the achievement of an organized and well-structured approach towards the eradication of computer security incidents and problems. For efficient functioning, the firm must be structured so that it acts as a center for incident information, a repository of incident information, and as a coordination wing for the security Responses in the firm (Mellon, 2008). The coordination that will be involved in the operation in the teams should be both internal and external with agencies such as security experts and law enforcement being involved.

The divisions that Jackson envisioned can be reorganized and incorporated with a CSIRT. The section will look at how the two departments will be integrated into the team and develop a structure through which the team can engage with other departments such as the management, Helpdesk, and the IT departments.

The new organization’s Mission and Vision

As with the setting of mission and vision, the new vision should be brief and be able to describe the new business model of the company. With the incorporation of programs development and the response department, the model of the firm has expanded to include functionalities such investigation of computer crimes, coordination of information, analysis of attacks and intrusions, monitoring of intrusion detection systems, recovery of systems and the facilitation and coordination of response activities (Mason & Talya, 2010). The mission and vision determine the organizational model and thus given that the new business specification includes information exchange, analysis, and system recovery and patching, it is imperative that information collection and sharing platforms are created, together with a mechanism that enables the employees to access the site where systems are located (Mason & Talya, 2010). The new mission and vision can thus be defined as:

Mission Statement:

“We provide the safest security service and products in the market for our clients to operate their business efficiently and securely.”

Vision Statement

“To be the number one globally acclaimed organization in the provision of information assurance and cyber security through the delivery of world-class security protection services and products.”

Organizational structure For the Software Company

To come up with a sound organizational structure, it is important to analyze and understand the business operation regarding a division of labor, departmentalization, Span of control and authority. Traditional bureaucratic structures were majorly aimed at the strengthening of job specialization by the size of the organization. Traditionally, the grouping of the organization was done according to the functions of various individuals so that for example all the accountants would be found under the accounting department (Killcrece, 2003). With this kind of setting, the decision-making process was a reserve only for the top management and employee was neglected in the process. The rise of the motivational theory placed pressure on this kind of structure and finally various organizational structures emerged that were more favorable in the boosting of productivity of a firm.

Another organizational structure is the matrix structure. This structure is achieved by the combination of different structures so as to come with one structure. This structure tries to mix up employees so as to have departments being as wholly dependent on itself as possible. This structure is essential as it removes the duplication of functions and improves the efficiency of a unit (Baligh, 2005). The structure is however affected by the issue of dual reporting structure which leads to interdepartmental conflicts.

For the Cyber Software Inc., the best approach is to adopt a flat organizational structure which encourages the development of horizontal connections and relationships, while at the same time cutting down on the vertical reporting relationships. The firm should avoid the creation of middle-level management and aid the company in the creation of an organizational culture that is centered on a centralized leadership. For a flat organizational structure to be viable, the management should ensure that all the roles of the workers are well defined so as to avoid any conflicts such as those seen in the running of the day to day activities (Schein, 2010). To create an organizational culture that is effective, the management should set up goals for all the department and individuals, with a reward system that show appreciations for the attainment of the goals (Schein, 2010). Since this is a technology based firm, the best approach to flatten the firm is to create computer networks that link all the departments so as to facilitate group work through efficiency in communication and decision making. Integration of technology into management will enable the company eliminate bureaucracies and turn it into a boundaryless organization where the distributors, suppliers, customers, employees, and managers are digitally connected. Traditional structures are not efficient for a company like Cyber Software Inc., especially because it is not flexible and thus does not ideally support tasks that are interdependent. A Flat organization gives room for decision-making and goal-setting across all the levels and thus communication are done more freely. With the planning phase, this type of management involves the employees directly in planning, and this creates a sense of ownerships of projects implemented by the firms and eliminates the problem of resistance to change (Schein, 2010).

Organizational model with integrated CSIRT

Having identified the organizational structure that bests suites Cyber Software Inc. as a flat organizational structure, the next phase is to see how the company can practically implement it. From the analysis of the existing structures, the company can be divided into three four major levels: the system users, employees, management, and the external experts and organizations. The data presented on the employees necessitates the creation of four key departments: Legal department, IT department, Helpdesk, and CSIRT. The IT department is made up of the four program developers. A representation of this shown in figure 1 below.

Figure 1: A departmental breakdown of the Company with CSIRT integrated (Mellon, 2008).

Under the new structures, the operation of the firm begins with the detection phase. This phase can either be initiated by the System users who can raise an alarm, or by the IT department which can deter an intrusion through the use of system monitoring techniques. When the detection is from the user’s side, the Help desk is utilized in the reception of the information. It is imperative to have an IT personnel at the Help desk so that they can weigh in on the alarm raised and see whether it is worth any analysis (Mellon, 2008). Joseph’s act of recruiting two programmers for the customer service/Help desk is a good move.

After the detection phase, which could be initiated by the IT department or the help detection with the help of the system users, the next process is the triage phase. At this stage all the incidences are sorted, prioritized, categorized and assigned various information such as vulnerability reports (Mellon, 2008). The task is a mandate of the Computer Security Incident Response Team which sorts the incidences to come up with the priority areas which are then analyzed. Analysis report will show whether a legal, managerial or technical response is required. If the response is either legal or managerial, the company must be structured in such a way that the legal department and the management must be consulted respectively.

The most important phase of tackling the issues faced by the company is the coordination between the various departments in the resolution of problems. At this phase, the help desk provides any available information on a problem at hand while external experts can be relied on to provide advice on how best to resolve an intrusion issue (Bagad, 2009). With the development of a new program, the firm can use the same approach. With all the information availed, the management and the legal departments are key in the analysis of the operations. Given that the firm is dealing is dealing with data, matters of legal responsibility arise and thus paralegals can guide the company on the right part. The coordination of the departments is crucial as it creates a sense of unity of direction. Management plays a vital role in the coordination of activities at this phase mainly because planning is involved in the tackling of events (Bagad, 2009).