Many enterprises are developing internal groups to run security operations, known as \u201csec-ops.\u201d These groups are responsible for monitoring and responding to security events. To ensure their effective operations, putting the right organizational structure in place is critical.There are, broadly speaking, three disciplines in enterprise information security. Governance is concerned with the evaluation of risk and the definition of enterprise security policies. Security implementation is the discipline of converting security policies into technical implementations. Finally, audit and compliance is the discipline that ensures that policies are correctly implemented and enforced. Organizing the three roles under a single group that\u2019s distinct from data center architecture and operations not only isolates security functions in a \u201csilo\u201d but also places the role of audit far too close to the implementers. It\u2019s best to align security operations more closely to overall data center operations.A security operations team\u2019s main role is monitoring the infrastructure and applications for security events, responding to the events, and conducting \u201cpost-mortem\u201d analysis to recommend improvements to security policy or implementation. To be effective against insider threats from system administrators and security administrators, the security operations team needs to operate independently from those implementing security controls - hard to do if they\u2019re part of the same overall team.Additionally, responding to a security event requires that it is first identified as a security event. Differentiating between a security event and a network or application failure is often very difficult, especially in the early stages of troubleshooting - so sec-ops needs to work more closely with the overall operations group. The security operations team therefore needs to be part of the operations group, for many reasons:* The tools and protocols used to monitor the infrastructure and applications for \u201cunintended\u201d failures are the same as those required to detect \u201cintentional\u201d breaches. \u201cIntent\u201d is usually determined after-the-fact through analysis of an event.* The skills needed to prioritize response based on the business-criticality of an affected application are the same, regardless of the root-cause.* Analyzing an anomalous event requires knowledge of what a \u201cnormal\u201d response looks like. Operations groups have a better understanding of the infrastructure as a whole and are better equipped to identify anomalies.* One of the most important tools for any operations team is a ticketing system for generating and tracking \u201cfaults.\u201d Such a system is also a critical component of a security-incident response process.Enterprise IT executives should create a security operations team that is closely integrated with the broader network\/systems operations group. The sec-ops team should report to the other security groups (governance, implementation) on a regular basis and especially after an incident \u201cpost-mortem.\u201d Every security breach represents a failure of security policies or a failure of security implementation. As the watchdog for security, the sec-ops team should provide regular feedback to ensure that security policies and implementation reflect the \u201clessons learnt\u201d with continuous improvement. The only certainty in the security business is that a lesson not learnt will soon be on the curriculum again.