The Open Group’s Quiet Revolution In Security Roles
If you have been around this industry long enough to remember the Unix wars, you already know that most “new” ideas in cybersecurity are just old ideas with better branding.
The Open Group is the exception that proves the rule.
“I am John Linford,” the man across from me says, spelling out his name like he has done this a thousand times. He has. “I’m with The Open Group. I am our security portfolio director, so I’m responsible for our security forum, which is more of the cyber security side of things, our open trusted technology Forum, which is the supply chain security side of things, as well as our assured dependability work group, which gets more into combining enterprise architecture with some extra practices for the dependability of that architecture, and now mixing in security practices as part of those processes.”
If that sounds like a lot, that is because it is. But beneath the forums and work groups is a simple idea: security needs standardization that people can actually use in the real world, not just in PowerPoint decks.
And that is where The Open Group quietly does some of the most foundational work in the industry.
From Unix Wars To Zero Trust Reality
“The Open Group” has the sort of generic name that sounds like it was generated by a committee, which is fitting, because in a sense it was.
“The open group [is] a global standards organization,” Linford explains. “We are open as the name implies, coming originally out of the Unix wars. So still maintain all of the UNIX Specification.”
Long before Zero Trust became the buzzword that launched a thousand vendor booths, The Open Group was in the business of taming chaos. Back then, the chaos was competing Unix variants. Today, it is the explosion of security roles, responsibilities and expectations inside every modern organization.
The organization itself predates its own name.
The current brand “came out of the X open Foundation, and if I remember correctly, the open software foundation, it was well before I joined the open group,” Linford recalls. “I’ve only ever known The Open Group as The Open Group, and I’ve been in the industry for 22 years now, so that’s all I have ever known it by,” he adds, noting the naming “came at some point in the mid 90s.”
What has not changed is the focus: bring order to fragmented ecosystems through open, consensus driven standards.
“We’ve got some of our publications going back into the early 90s,” Linford notes, “and really looking at providing a consistent way for organizations across private and public sectors to have consistent security processes, rather than needing to do everything unique or specific to their context, but being able to tailor to their own needs.”
That last bit is key for CISOs. Every environment is unique, but no one has time to reinvent the wheel for every role, responsibility or process. The tension is between consistency and flexibility. The Open Group lives in that tension.
Security Is Everyone’s Job. Now What?
There is a cliché you have probably heard in every board meeting since about 2015: “Security is everyone’s responsibility.”
The problem is that very few organizations have done the hard work of turning that slogan into specific, accountable tasks at the individual role level.
Linford’s team has been trying to fix exactly that.
“The most recent, or one of the most recent publications from the security forum is our security roles and glossary standard series,” he explains. “We’ve noticed that security is part of everyone’s job. We’ve known this for a while. Zero Trust has really solidified that fact and is gaining more adoption.”
Then he gets to the point that every CISO will recognize.
“But it’s not just the security specific roles that have a security task. So what this series does is look at defining, what are your security specific roles? What are roles that have really little or anything to do with security, and then what are kind of those hybrid roles that do a little bit of both sides and outlining responsibilities and accountabilities for each of those roles in that security context, and that goes down as well to what happens if you don’t do your security tasks.”
In other words, this is not a fluffy “culture of security” poster for the hallway. It is a structured way to map who does what, where security shows up in their job description and what the implications are when it does not.
If you have ever been on a post incident call where legal, HR, engineering and security argue about who “owned” multi factor configuration or vendor review, you already know why this matters.
Designing For the Very Small and the Very Large
One of the more quietly impressive aspects of The Open Group’s work is that it is designed to scale both down and up. That is not something you can say about many frameworks that were clearly written by and for large enterprises.
“Making a little bit easier for organizations of any number of sizes to figure out what kind of employees do we need? What do we need them doing?” Linford says of the security roles and glossary work.
He does not stop there. He explicitly calls out both ends of the spectrum:
- “If you’re a small organization, what are the different types of tasks that the one person is going to be doing to consolidate some of these roles?”
- “Or if you’re a really big organization, how do you sort of divvy those up as efficiently as possible?”
This is the reality of security leadership in 2026. One CISO is trying to keep a three-person team from burning out while also meeting customer demands for SOC 2 and ISO alignment. Another is trying to rationalize a hundred-person security org that grew through acquisitions and looks like a patchwork quilt.
They both need the same thing: a clear vocabulary for roles and responsibilities, and a way to map tasks to job functions without drowning in complexity.
More Than ITIL With New Paint
At this point in the conversation, the obvious question comes up. Is The Open Group just reinventing something like ITIL for security roles?
“Is this an attempt to recreate the ITIL format for, you know, that type of tasking and assignments and ownership labels and” the interviewer asks, trailing off on what many readers are probably thinking.
Linford is diplomatic but clear.
“Not quite,” he says. “There definitely is some similarity and crossover, not so, not really a recreation.”
He also acknowledges that this work does not exist in a vacuum.
“There’s also some crossover with like what NIST is doing and CC, of the NICE framework,” he notes, pointing to existing workforce and role taxonomies that many security leaders already touch through compliance or internal HR work. “Slightly different contexts. And ours is really aimed at getting the individual employees to understand what their tasks are.”
That last sentence is where the distinction really lies. A lot of frameworks talk about roles at the level of organizational charts and HR plans. The Open Group is focused on the line where that theory becomes daily work. Their security roles and glossary series is ultimately about the individual employee sitting down and knowing, “These are my security tasks. These are my accountabilities. Here is what it means if I get this wrong.”
For an industry that loves its buzzwords, that is refreshingly practical.
The Power of Shared Language
If you think a “glossary” sounds boring, remember the last time two teams used the same word to mean slightly different things. Then recall how long you argued about it.
Linford understands this all too well.
“So far for that, we’ve got an initial glossary, because defining terms always really important for any conversation,” he explains. Alongside that, there is “some guidance on actually implementing the roles,” and then “our first two sort of sub documents in there are around organizational leadership and governance and your security operations, or SOC team.”
This is where The Open Group’s decades of standards work show through. Long before “alignment” became a slide on every strategy deck, they were in the business of making sure people in different organizations could talk to each other in compatible ways about Unix, enterprise architecture and technology procurement.
Security is just the latest battlefield where a common language determines whether your program is coherent or just a collection of heroic individual efforts.
For CISOs, the benefit is obvious: less time refereeing definitional arguments, more time actually improving controls and outcomes.
Why CISOs Should Care Now
There is no shortage of frameworks, maturity models or best practice guides in this space. Most of them are well intentioned. Many of them are ignored.
The Open Group’s security roles and glossary standard series deserves a closer look from security leaders for a few pragmatic reasons:
- It acknowledges that security is part of everyone’s job but does the hard work of spelling out what that means in specific roles.
- It is designed to be useful for both small and large organizations, helping you consolidate or subdivide responsibilities without losing clarity.
- It fits alongside existing ecosystems you probably already touch, including NIST guidance and workforce frameworks, instead of trying to replace them.
There is also a less obvious, but powerful, reason. A shared, standards-based model for roles and responsibilities provides cover.
When you go to your board or executive peers and explain why certain tasks must sit with product management, engineering, operations or business units, you are no longer just “the security person making more work.” You are aligning the organization to an external, consensus driven model that has been battle tested across sectors.
That may not win every argument, but it changes the conversation.
A Call to Action for Security Leaders
If you are a CISO or senior security leader, you are already juggling enough priorities. No one is asking you to become a standards wonk in your spare time.
But it is worth taking a deliberate, structured look at how The Open Group’s work can support what you are already trying to do. Start by asking three questions inside your own organization:
- Do we have a clear, documented mapping of security responsibilities across technical, business and leadership roles?
- Would a new hire in any key function be able to read that mapping and understand their security tasks and accountabilities without a one-on-one explainer?
- When something goes wrong, do we have a shared, nonpolitical reference for who owned what?
If the honest answer to any of those is “not really,” The Open Group’s security roles and glossary standard series is worth a look.
At a practical level, that might mean:
- Bringing your HR and security operations leaders together to review the glossary and roles guidance and compare it with existing job descriptions.
- Using the organizational leadership and governance sub documents as a sanity check on your current RACI matrices and decision authorities.
- Evaluating how your SOC team’s responsibilities align with the roles outlined in the standard and where gaps or overlaps exist.
Security will continue to be “everyone’s job.” The question is whether you want that to be a vague slogan, or a concrete, defensible structure that scales with your business.
The Open Group has been solving versions of this problem since the days when Unix variants were fighting for dominance and Zero Trust was not even a phrase. Their work on security roles and language is the modern expression of the same mission: reduce chaos, increase interoperability and give practitioners tools that actually work.
In an era where every vendor claims to be “redefining” or “reimagining” something, there is something reassuring about an organization that just keeps quietly publishing standards that help the rest of us get on with the job.
If you are serious about maturing your program in a way that is understandable to your people, sustainable for your teams and defensible to your stakeholders, put The Open Group’s security roles and glossary work on your reading list.
You have enough things to reinvent. The model for who owns what in security does not have to be one of them.
Author’s Note
The author sat down with John Linford, Security Portfolio Director at The Open Group, in a post conference conversation after the 2026 RSAC Conference in San Francisco to discuss how the organization is tackling the messy reality of security responsibilities inside modern enterprises, from leadership and governance to SOC operations and hybrid roles that live between business and security.
For more information, please visit www.opengroup.org.
About the Author
Pete Green is the CISO / CTO of Anvil Works, a ProCloud SaaS company and co-author of “The vCISO Playbook: How Virtual CISOs Deliver Enterprise-Grade Cybersecurity to Small and Medium Businesses (SMBs)”. With over 25 years of experience in information technology and cybersecurity, Pete is a seasoned and accomplished security practitioner.
Throughout his career, he has held a wide range of technical and leadership roles, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.
