In many organizations, security efforts focus exclusively on deploying technologies, implementing “best practices,” or responding to continuous alerts and issues. The result is a reactive security organization busy with activity and unable to answer the question, “Are we becoming more secure?” This creates distrust between business leaders and the security organization. Security efforts are seen as expensive—doing more to slow rather than secure the business.
![](https://www.scottmadden.com/content/uploads/2023/12/SOM_Graphic-01-300x252.png)
- Changing focus from information security and physical security controls to security risks. Risk is the basis for all security decision-making and performance management
- Transitioning ownership of security risks. The security organization does not own security risk decisions—the business does
- Providing security leadership. Establish priorities, expectations, and oversight of risks and efforts to address them
Security Organization Priorities
![](https://www.scottmadden.com/content/uploads/2021/02/SOM_Graphic-02-1-e1622135238329.png)
![](https://www.scottmadden.com/content/uploads/2021/02/SOM_Graphic-03-978x1024.png)
Control Framework
Utilizing an industry-accepted framework ensures alignment with industry expectations and provides a method for regular capability assessment to track and measure progress.
![](https://www.scottmadden.com/content/uploads/2021/02/SOM_Graphic-09-1024x942.png)
Risk-based Business Plan
The business plan’s objective is to allocate security resources appropriately based on the risks to the organization. The plan provides a bridge from a security strategy to a portfolio of cybersecurity and physical security projects and programs. The risk-based business plan operationalizes your security strategy by translating enterprise security strategies and concepts into a set of practical plans and actions. The successful business plan aligns with the corporate business model and integrates with stakeholder plans and objectives. The four critical building blocks of the business plan include:The business plan is the most powerful tool to ensure alignment across the entire operating model based on risk to the organization.
The desired end state is a security program that aligns with the industry-accepted controls framework and your chosen level of maturity.
![](https://www.scottmadden.com/content/uploads/2021/02/SOM_Graphic-05-1024x515.png)
Critical Security Functions
Critical security functions establish clear ownership and accountability and codify decisions on how the organization will run its business. Management uses them to drive performance, continuous improvement, and innovation. Core functions are where the rubber meets the road. When properly established, security functions have the power to:- Provide a clear vision of desired security capabilities and corresponding people, process, and technology enablers
- Drive security change and improvements
- Drive performance, continuous improvement, and innovation
- Simplify, standardize, and secure processes
Functional management provides the accountability model necessary to drive security performance.
![](https://www.scottmadden.com/content/uploads/2021/02/SOM_Graphic-06-1-1024x387.png)
Tiered Security Metrics
“What gets measured gets improved”—security metrics are critical to understanding the health of the function and provide a transparent picture of the security organization. A comprehensive security metrics program serves to unite the operating model with clearly defined goals and measurements to provide a line of sight to performance and enterprise security risk reduction. The key to evaluating performance is measuring something impactful, and then continuously challenging and improving upon it.- A simple place to start is with the level of adoption of security controls compared to the organization’s security scope of responsibility. Evaluating control adoption versus the scope of assets by priority will provide a logical understanding of what is being secured and how deeply the security permeates the organization. Inversely, this compliance metric also illustrates the risk the organization is accepting by clearly defining what is not secured
- These metrics serve as a barometer for the security risk threshold of the organization and the foundation for improvement initiatives within the business plan across all information and physical assets
- Investigating how deeply security permeates the organization and discussing risk tolerance will help set the stage for alignment among leaders
Security metrics are critical to understanding the health of the core function and provide a transparent picture of the organization’s security.
![](https://www.scottmadden.com/content/uploads/2021/02/SOM_Graphic-07-1024x544.png)
- Metrics are designed from the top down and developed to support organizational goals and objectives
- Metrics must provide for greater visibility and transparency into goal attainment instead of meaningless “stick counts”
- Security goals must be specific, limited, meaningful, and have context
Oversight & Management Controls
Oversight and management controls ensure performance meets expectations. Management oversight ensures everything ties together within a continuous improvement loop. The results provide transparency on the adoption of the controls framework, inform the governance structure, challenge the scope, and lead to gap-based and risk-informed initiatives for inclusion in the business plan.Management controls ensure the organization is readily able to check performance and adjust direction as needed.
ConclusionThis security operating model defines the organization’s agreed-upon approach for responding to security risks and establishes expectations for who is responsible for what. This becomes the baseline against which security performance is monitored.
Organizations too often go directly from strategies, concepts, and objectives to projects, technologies, and procedures, but do not achieve their desired results and struggle to explain why they are doing what they are doing.
![](https://www.scottmadden.com/content/uploads/2021/02/SOM_Graphic-08-1024x1022.png)
No two operating models are the same, and each organization faces its own unique set of challenges.
- It is aligned with the organization’s security stakeholders
- It is grounded in securing high-risk areas, using the most effective method of mitigating risk tailored to the organization’s risk tolerance
- It provides oversight that paints an objective picture of the organization’s security risk posture