The structure of an information security program is its performance at every level of the organization. The reach of the program, how each business unit supports the program, and how every individual carries out his or her duties as specified in the program all determine how effective the program will be.