The Security Operating Model: A Strategic Approach for Building a More Secure Organization

In many organizations, security efforts are focused almost exclusively on deploying technologies, implementing “best practices,” or responding to a continuous stream of alerts and issues. The result is a reactive security organization, busy with activity and unable to answer the question, “Are we becoming more secure?” The result is friction and distrust between business leaders and the security organization. Security efforts are seen as expensive—doing more to slow rather than secure the business.

A more strategic approach is necessary. It acknowledges the reality that security needs will always exceed security capacity, provides direction to optimize security resource allocations, and demonstrates progress toward a more secure organization. This approach requires the security organization to transition from security performers to security leaders by:

  • Changing their focus from security controls to security risks: Risk is the basis for all security decision making and performance management
  • Transitioning ownership of security risks: The security organization does not own security risk decisions, the business does
  • Implementing a security operating model to govern this strategic approach: Establishing priorities, expectations, and oversight of risks and efforts to address them

The security organization’s focus is on identifying risks, recommending responses to these risks, facilitating the appropriate tradeoff decisions related to these risks, and providing line of sight to the execution of these risk responses.

A security operating model enables this approach. It provides governance and oversight of security for the entire organization, where the business is not only a recipient of the security services, but is also instrumental in the collaboration, implementation, and sustainability of security efforts. When viewed holistically, the operating model utilizes a risk-based approach to identify and prioritize risk mitigation efforts to appropriately secure the enterprise’s mission. The core of a security operating model is a collaborative continuous improvement process designed to sustain the controls that secure the enterprise.

A comprehensive security operating model includes the following components:

  • Clearly defined governance and oversight responsibilities, including scope of asset responsibilities
  • A risk-based planning process that engages business stakeholders in risk tradeoff decisions and prioritizes security investments and utilization of scarce resources
  • A security program that defines and documents security expectations of asset owners throughout the enterprise
  • Oversight mechanisms that provide an objective view of enterprise security risks and performance against the security controls, both implementation and sustaining performance

This model provides the organization’s agreed-upon approach for responding to security risks and establishes expectations for who is responsible for what. This becomes the baseline that security performance is monitored against.

No two operating models are the same, and each organization faces its own unique set of challenges. But the success of any operating model relies on the following:

  • It is aligned with the organization’s security stakeholders
  • It is grounded in securing high-risk areas, using the most effective method of mitigating risk tailored to the organization’s risk tolerance
  • It provides oversight that paints an objective picture of the organization’s security risk posture

Ultimately, security should operate like a conductor in an orchestra, leading multiple instruments in unison around a common piece of music (i.e., the operating model). A deliberate effort must be made to blend their melodies and harmonies to orchestrate the symphony that is successfully securing the enterprise’s mission.

ScottMadden can help you achieve your security goals. For more information about our security operating model and the key recommendations for success, please contact us.

Additional Contributing Author: Hayden Overly

View More

Contributing Authors

Henry Bell Director

Welcome to ScottMadden!

Sussex Economic Advisors is now part of ScottMadden. We invite you to learn more about our expanded firm. Please use the Contact Us form to request additional information.