This might sound like fancy jargon but doesn’t have to be and is important in enabling your security team to deliver security outcomes to your organisation (and articulate how you’re going to do this in a way that your stakeholders can understand). By developing and implementing your security operating model you can effectively set priorities and expectations within your team and across your organisation, in order to focus on what matters most.
At its core an effective security operating model will:
- Articulate the capabilities (services) provided by the team
- Outline the key inputs, outputs, and dependencies
- Define key roles and responsibilities, and necessary tooling, for delivery and governance
- Set out a development roadmap for enhancement where required
Having done this, myself as a CISO, and whilst working with a range of client organisations, there’s not a one-size-fits-all approach for this. You need to develop your security operating model in the right way for your organisation – this could a heavyweight industry-aligned capability architecture with supporting service roadmaps or could be a more informal exercise with key members of the team with summary documentation.
So where to start?
Firstly, consider the organisational requirements for security and what’s needed from security to deliver. By way of example if you’re a software house, you probably need to nail DevSecOps; if you’ve got a large remote workforce you may need engaging and impactful security training. If you need some inspiration the Institute of Information Security Professionals (https://www.iisp.org/) has some good people-centric capabilities, or you can choose relevant domains from other frameworks or standards, such as NIST (https://www.nist.gov/cyberframework) or ISO27001 (https://www.iso.org/isoiec-27001-information-security.html).
Secondly, understand and articulate where security capabilities are being delivered from. Good security doesn’t mean that you need to build a large internal empire, some elements may be best being led by your colleagues in Infrastructure or Data Protection for example. However, it’s important to formally identify and agree this.
Finally, for the capabilities your team owns, plan out how they’ll be delivered taking into account:
- The services your team offers including the key inputs and outputs, main stakeholders, and how they are delivered in practice
- Getting the structure of the team right, development and maintenance of meaningful roles or job descriptions to deliver the required capabilities, internal reporting lines, and external information lines with other teams and functions
- How to best continue and promote existing good practice within the team
- Closing capability gaps in a creative way – you may need to enhance skills and processes inhouse, borrow from peers in other organisation, or buy-in support to accelerate improvement
- How you can begin to meet aspirational, but necessary, capabilities over the medium to long term
- A proportionate approach to defining relevant “metrics” that will allow you to satisfy your stakeholders and, more importantly, measure your progress
As with everything you’ll need to keep your security operating model under review and adjust as necessary to ensure it remains accurate and relevant.