Show Filters

Top Results

The Security Operating Model: A Strategic Approach For Building a More Secure Organization

Pillar

 

In many organizations, security efforts focus exclusively on deploying technologies, implementing “best practices,” or responding to continuous alerts and issues. The result is a reactive security organization busy with activity and unable to answer the question, “Are we becoming more secure?” This creates distrust between business leaders and the security organization. Security efforts are seen as expensive—doing more to slow rather than secure the business.

A more strategic approach is necessary—acknowledging the reality that security needs will always exceed security capacity, optimizing security resource allocations, and demonstrating progress toward a more secure organization. This requires the security organization to transition from security operators to security leaders by:
     
      • Changing focus from information security and physical security controls to security risks. Risk is the basis for all security decision-making and performance management
      • Transitioning ownership of security risks. The security organization does not own security risk decisions—the business does
      • Providing security leadership. Establish priorities, expectations, and oversight of risks and efforts to address them

    Security Organization Priorities

    The security organization’s priority is to identify risks, recommend responses to these risks, facilitate the appropriate tradeoff decisions related to these risks, and provide a line of sight to the execution and performance of these risk responses. A security operating model enables this approach. It governs and oversees security for the entire organization, where the business is not only a recipient of the security services but is also instrumental in the collaboration, implementation, and sustainability of security efforts. The operating model utilizes a risk-based approach to identify and prioritize risk mitigation efforts to secure the enterprise’s mission. The core of a security operating model is a collaborative, continuous improvement process designed to sustain the controls that secure the enterprise. A comprehensive security operating model includes the following components:
    The enterprise security governance model ensures collaboration with the business. An executive committee with a CSO/CISO and senior leadership from across the organization balances the organization’s security risks with the overall costs. Through the operating model, the security leadership provides a clear vision of desired security capabilities and corresponding people, processes, and technology enablers.

    Control Framework

    A security policy based on an industry-accepted controls framework provides the structure and guidance to apply best practices and target gaps in potential security coverage. This ensures the enterprise is thinking holistically about its security performance. The control framework cascades throughout the enterprise to ensure alignment across assets and operating areas. Alignment and collaboration are the keys to providing continuous and efficient operations.
    Utilizing an industry-accepted framework ensures alignment with industry expectations and provides a method for regular capability assessment to track and measure progress.

    Risk-based Business Plan

    The business plan’s objective is to allocate security resources appropriately based on the risks to the organization. The plan provides a bridge from a security strategy to a portfolio of cybersecurity and physical security projects and programs. The risk-based business plan operationalizes your security strategy by translating enterprise security strategies and concepts into a set of practical plans and actions. The successful business plan aligns with the corporate business model and integrates with stakeholder plans and objectives. The four critical building blocks of the business plan include:
    The business plan is the most powerful tool to ensure alignment across the entire operating model based on risk to the organization.

    The desired end state is a security program that aligns with the industry-accepted controls framework and your chosen level of maturity.

    Critical Security Functions

      Critical security functions establish clear ownership and accountability and codify decisions on how the organization will run its business. Management uses them to drive performance, continuous improvement, and innovation. Core functions are where the rubber meets the road. When properly established, security functions have the power to:
       
        • Provide a clear vision of desired security capabilities and corresponding people, process, and technology enablers
        • Drive security change and improvements
        • Drive performance, continuous improvement, and innovation
        • Simplify, standardize, and secure processes
      Functional management provides the accountability model necessary to drive security performance.

      Tiered Security Metrics

      “What gets measured gets improved”—security metrics are critical to understanding the health of the function and provide a transparent picture of the security organization. A comprehensive security metrics program serves to unite the operating model with clearly defined goals and measurements to provide a line of sight to performance and enterprise security risk reduction. The key to evaluating performance is measuring something impactful, and then continuously challenging and improving upon it.
         
          • A simple place to start is with the level of adoption of security controls compared to the organization’s security scope of responsibility. Evaluating control adoption versus the scope of assets by priority will provide a logical understanding of what is being secured and how deeply the security permeates the organization. Inversely, this compliance metric also illustrates the risk the organization is accepting by clearly defining what is not secured
          • These metrics serve as a barometer for the security risk threshold of the organization and the foundation for improvement initiatives within the business plan across all information and physical assets
          • Investigating how deeply security permeates the organization and discussing risk tolerance will help set the stage for alignment among leaders
        Security metrics are critical to understanding the health of the core function and provide a transparent picture of the organization’s security.
           
          • Metrics are designed from the top down and developed to support organizational goals and objectives
          • Metrics must provide for greater visibility and transparency into goal attainment instead of meaningless “stick counts”
          • Security goals must be specific, limited, meaningful, and have context

        Oversight & Management Controls

        Oversight and management controls ensure performance meets expectations. Management oversight ensures everything ties together within a continuous improvement loop. The results provide transparency on the adoption of the controls framework, inform the governance structure, challenge the scope, and lead to gap-based and risk-informed initiatives for inclusion in the business plan.
        Management controls ensure the organization is readily able to check performance and adjust direction as needed.

        ConclusionThis security operating model defines the organization’s agreed-upon approach for responding to security risks and establishes expectations for who is responsible for what. This becomes the baseline against which security performance is monitored.

        Organizations too often go directly from strategies, concepts, and objectives to projects, technologies, and procedures, but do not achieve their desired results and struggle to explain why they are doing what they are doing.
        The security operating model operationalizes your security strategy—translating broad visions of enterprise security into a set of practical and realistic plans and actions. Security leaders can provide a clear picture of desired security capabilities and corresponding people/process/technology enablers through the operating model. A security operating model balances risks to the organization within industry expectations and drives decisions about where to invest security resources.
        No two operating models are the same, and each organization faces its own unique set of challenges.
         
          • It is aligned with the organization’s security stakeholders
          • It is grounded in securing high-risk areas, using the most effective method of mitigating risk tailored to the organization’s risk tolerance
          • It provides oversight that paints an objective picture of the organization’s security risk posture
        Ultimately, security leaders should operate as a conductor in an orchestra, leading multiple instruments in unison around a common piece of music (i.e., the operating model). A deliberate effort must be made to blend their melodies and harmonies to orchestrate the symphony that is successfully securing the enterprise’s mission. Security professionals seeking to enhance trust with business leaders and demonstrate progress toward a more secure organization with a strategic, rather than reactive, approach to reach security goals should adopt this proven security operating model.

        Let’s Work Together

        We don’t solve problems with canned methodologies. We help you solve the right problem in the right way. Our experience ensures that the solution works for you.

        Connect With Us Find an Expert

        Related Insights

        Outcome-based Security Metrics: An Approach to Improving and Managing Security Performance

        Article

        Properly designed security metrics, a core element of the security operating model, help organizations address questions business leaders care about.

        Read More

        Changing Finance Skillsets in a Digital World: How the Wave of Technology Is Changing the Skillsets Financial Employees Need

        White Paper

        What is driving the evolution of the finance skillset? Access this new white paper to explore this question and learn four key skills that are crucial for…

        Read More

        Advantages of Cognitive Recruiting

        White Paper

        Are you ready to transform your talent acquisition practices? This white paper introduces the concept of cognitive recruiting and explores the benefits and considerations of implementing these…

        Read More

        Changing Customer Experience

        White Paper

        Chat technologies, including live chat and chatbots, provide an opportunity for shared services centers to meet customer preferences and provide a new customer experience. Dive into this…

        Read More

        The Security Operating Model: Integrating Risk with Business Planning for Increased Alignment and Security Maturity

        White Paper

        This article uncovers the six areas of focus for developing and maintaining a security operating model: the risk-based business plan.

        Read More

        Shared Services Data Protection

        Video

        ScottMadden can help you understand and resolve your shared services security issues by improving how you manage and govern cybersecurity. This video highlights the key strategies to…

        Read More

        Top-Five Practices for Changing Security Policies

        Article

        As the cyber threat landscape intensifies, cybersecurity programs must evolve to protect your organization’s mission. This report reviews the five key security program change management practices to…

        Read More

        Data Loss Risk Awareness

        Article

        This article is the first in a three-part series focused on data protection for shared services.

        Read More

        Cybersecurity Threats in the Energy Industry

        Video

        What are the top cybersecurity threats faced by the Energy industry? What efforts are in place by the government to help the Energy industry face these threats?…

        Read More

        Developing a Programmatic Approach to Cybersecurity

        Video

        Learn how to face the many challenges of implementing a successful enterprise cybersecurity program in this short video.

        Read More

        The Energy Industry Update – Volume 15, Issue 2

        Energy Industry Update

        The electric industry seems to be on the cusp of great change. Regulators are rethinking the hundred-year-old rate-of-return paradigm, renewables costs are falling (especially for solar photovoltaic…

        Read More

        The Core Elements of Your Shared Services Data Protection Program

        Article

        This is the third article of a three-part series on data protection for shared services.

        Read More

        Building the Foundation for Your Shared Services Data Protection Program

        Article

        This is the second article of a three-part series on data protection for shared services.

        Read More

        Achieving Security Program Alignment with the NIST Cybersecurity Framework

        Case Study

        ScottMadden partnered with a large energy provider to align its security program with the NIST Cybersecurity Framework (CSF).

        Read More

        Key Considerations for Implementing Live Chat in Your Service Center

        Article

        While live chat is not new technology within service centers, it might be new for your organization or your operation. Understanding your customer expectations and your resource…

        Read More

        The Shared Services Journey: Automation

        Pillar

        “Automation” has been defined as a myriad of things. RPA, virtual agents, artificial intelligence (AI), machine learning (ML), and process automation are now embedded into organizations. These…

        Read More