A security operating model enables an organization to focus on identifying risks, recommending risk responses, facilitating tradeoff decisions related to these risks, and providing a line of sight to the execution of these responses. The core of this model is a collaborative continuous improvement process designed to sustain the controls that secure the enterprise. You can learn more about the advantages of a security operating model in “The Security Operating Model: A Strategic Approach for Building a More Secure Organization.”
This article will dive deeper into one of the six areas of focus for developing and maintaining a security operating model: the risk-based business plan. A risk-based plan will help answer questions such as:
The business plan is a powerful tool to ensure alignment across the operating model. A business plan is composed of focus areas that support the organization’s overall vision. Each focus area is further broken down into time-based objectives and measurable supporting tactical initiatives. This tiered model enables the organization to deliberately align every budgeted dollar to an identified risk, while transparently measuring the outcomes versus objects.
The objective of the business plan is to appropriately allocate security resources based on the risks to the organization. Some key points to consider while constructing a risk-based business plan include:
The risk-to-maturity curve provides a structured, methodical, and industry-supported approach to informing and communicating business plan investment decisions. It positions these decisions based on how well they reduce risk and increase security maturity.
Figure 1: Risk-to-Maturity Curve
This approach allows you to address urgent needs while continuously improving your security posture. Use the risk-to-maturity curve to communicate current capabilities, the business plan to demonstrate which risks are being addressed, and both to discuss where you expect to be on the curve over the next planning cycle.
This entire process is done holistically, involving multiple internal and external stakeholders. Without this crucial alignment, plans are often developed in silos and neither the external stakeholders nor executive leadership are included in the process until the very end. This can lead to uninformed decisions, lack of organizational support, and misalignment across the entire model. Collaboratively developing the plan with stakeholders is as important as the actual contents of the plan.
Monitoring the performance of your business plan and operating model hinges on security metrics and reporting, oversight, and management controls. To learn more about these critical features, keep an eye out for the next installment of our security series focused on metrics and management controls.
Additional Contributing Author: Hayden Overly
Sussex Economic Advisors is now part of ScottMadden. We invite you to learn more about our expanded firm. Please use the Contact Us form to request additional information.