Embed Size (px)
Citation preview
1 slalom.com
The new cybersecurity operating modelHelp your organization become more resilient and reach its business goals.
2 slalom.com
Struggling to meet security goals
While the digital economy is providing major opportunities
to lower costs, increase revenue, and improve customer
satisfaction, it’s also drastically exposing businesses to more
inventive and advanced cyber attacks. This is why many
companies are investing large amounts of money and resources
to develop comprehensive cybersecurity roadmaps. In fact,
Gartner predicts that the global spend on security will increase
to $93 billion in 2018.
Yet many companies are failing to meet their security goals.
Why? In many cases, security organizations fail to evolve their
structure and how they operate to support corporate goals.
In these cases, information security (infosec) isn’t a part of
corporate strategy or a business enabler; it’s just a supporting
function and shared service.
So how do you create a security operating model that makes
your company more resilient and supports your business goals?
By strategically building and managing infosec’s relationship to
the business.
Here are the five key principles of a security operating model that will enable your organization to do just that.
3 slalom.com
1. Extend shared ownership of cyber risks across the business
Business stakeholders and asset owners often share the
same view: that the infosec team is responsible for managing
security risks and protecting digital assets across the
entire enterprise. However, this belief is instilling the wrong
behaviors and culture, leading to employees with a limited
understanding of cyber risks and how they’re managed. And
if employees don’t understand risk management, the broader
organization can’t effectively manage cyber risks.
In addition to leading by example, infosec leaders have
the opportunity to define leadership, education, and
communication strategies to promote shared responsibility
and high performance around specific behaviors.
Create a function dedicated to security awareness and training
It should become a daily habit for every employee to help
protect their organization against cybersecurity threats. To
create this habit, they need education and training—delivered
in a way that sticks with them.
Create a dedicated function to educate employees,
contractors, and leaders across your entire enterprise on their
security responsibility. These education campaigns should
be a combination of communication and training tailored to
different audiences.
4 slalom.com
Security awareness trainings are often taken online, very
quickly, and immediately forgotten. Instead, organizations
should incorporate gamification, like rewards and
competition, into trainings and tailor the training to change
specific behaviors.
It’s also important to develop processes to deliver cohesive
and regular communication to avoid information overload
and ensure that the new trainings work. As this function
matures and the level of risk awareness increases, test
campaigns must become more and more sophisticated to
continually improve security and risk awareness. Incorporate risk awareness trainings
Going a step further, infosec leaders should conduct risk
awareness trainings for the most eager employees. These
prompt employees to identify which activities have the
highest likelihood of risks resulting in adverse events, and
how to prioritize impact.
By tailoring awareness trainings to incorporate risk, security
leaders can help employees think in terms of problem-solving
and identifying risk, not just memorizing what actions not
to take. Employees can’t own risks if they don’t understand
how risk management works. Once they start thinking
about risks, however, they begin enforcing the right security
behaviors and culture.
5 slalom.com
2. Promote the role of infosec within the enterprise
Typically, infosec is seen as a technology topic. The infosec
program is embedded within IT, performing tactical and
operational activities often centered around compliance
management. But this type of structure limits the
organizational reach of infosec leaders and hinders their
capacity to directly engage and collaborate with the business.
The absence of business engagement has a direct impact on
the ability to develop an infosec program and strategy that’s
tailored to support business requirements. It also creates
a lack of executive awareness and support, which poses
challenges for infosec leaders to elevate cybersecurity issues
to the C-suite.
It’s important to develop a stand-alone infosec program
that promotes the role of the infosec organization across
the C-suite and the broader enterprise, ensuring that
cybersecurity risks are fully assessed, understood, and
considered as top strategic issues directly reported to the
board. Infosec capabilities can therefore be aligned to
the strategic priorities, and in return increase leadership
understanding and sponsorship of the necessary investments
required to manage the security risks.
Organizations should treat cybersecurity risks the same way
they do other critical business risks: by frequently briefing the
C-suite on cybersecurity issues so they can make informed
6 slalom.com
risk decisions. In addition, executive oversight and sponsorship
should focus enterprise attention and effort on cybersecurity
issues by providing adequate resources (e.g., budget) to
implement and monitor a comprehensive infosec strategy.
In the last few years, a proliferation of materials and guidance
have surfaced to engage boards on cybersecurity topics. For
example, the National Association of Corporate Directors
(NACD) releases guidance on board cybersecurity leadership.
One of its guiding principles explained that organizations
should approach cybersecurity as an enterprise-wide risk
management issue, not just an IT issue. Sharing these
resources and tips with executives will help infosec teams get
executive sponsorship for their efforts.
" Too many industries are vulnerable to cyber attacks for employees to not think about protecting company assets, and too many businesses see their time-to-market delayed by security reviews for infosec to avoid partnering with the business."
7 slalom.com
3. Move from a compliance management to a strategic advisory role
Security, compliance, and risk are three discrete efforts, but
are often conflated under the same program. When not
communicated correctly to the rest of the organization, they
can all feel like compliance. If organizations drive their security
and risk initiatives from a compliance perspective, it takes
on a requirements-heavy approach, which won’t necessarily
increase security resilience. When a risk-based approach drives
security initiatives, resource alignment is more likely to be well
balanced, by focusing on the high-priority risks. It’s also easier
for employees across the rest of the business to understand
why some security activities are more important than others.
Moving to a risk-based approach isn’t a new concept, but
organizations still struggle with realigning traditional security
efforts within this context. Organizations that strike the
balance well frame their infosec organizations as consultative
practices that support the rest of the business. Like any
consultant, however, infosec has to resist the temptation
to give guidance or instructions without taking the time to
understand the complexity of the business drivers.
The ideal result of a consultative practice is when the
organization is able to strategically manage security risk. It
can also identify and communicate clear justifications for
accepting certain risks in their environment, and support
organizing teams and resources to address their most critical
risks first. Security is included as a requirement alongside
other functional requirements for application builds and
design sprints. And the business starts to internalize that
8 slalom.com
products are brittle and may incur technical debt, unless
security becomes part of the design.
So how does infosec become a strategic advisor to the rest
of the business?
• First, infosec must accept that its role is to help the
business build and run.
• Infosec must understand where security goals differ
from goals of development teams or infrastructure
teams.
• Infosec should work with business units to map
enterprise security risks to organizations and specific
roles who will become partners in owning the risks. This
change is an outgrowth of executive—and often board-
level—involvement to set the tone and priorities around
cyber risk as part of an organization’s larger business
risk management programs.
4. Empower external engagement
Infosec needs to be able to clearly articulate its narrative (i.e.,
mission, direction, and strategic objectives) to elicit action
from its stakeholders. The cybersecurity and technology
landscape is changing so quickly that an organization should
have a strategy for how it wants its security approach to be
seen and perceived, and to drive industry relations among
other external business partners and stakeholders.
One of the most powerful ways an organization can share its
security priorities and influence others is through engaging
9 slalom.com
external partners, like universities, research labs, and industry
groups. Organizations in highly regulated spaces can find
themselves in victim mode, struggling to understand new
policies, regulatory requirements, and pushing back against
regulators. Organizations that provide critical infrastructure
services may also be the target of orchestrated attack
campaigns occurring across entire industries. This can create
a reactive security culture, where infosec gets in the habit of
scrambling to respond to new requirements and therefore
struggles to keep up with competitors and peers.
Also, organizations may have some resources set aside to buy
memberships into information sharing and analysis centers
(ISACs), and participate in conferences, but may not always
have a strategy behind the spend. The result is minimal
understanding of the effect these investments have on the
rest of the organization.
To combat this, create a specific security engagement
function for addressing this reactive versus proactive struggle.
" It should become a daily habit for every employee to help protect their organization against cybersecurity threats. To create this habit, they need education and training—delivered in a way that sticks with them."
10 slalom.com
Establish a dedicated function—whether it’s part of one
person’s job description or a small team—within infosec to
create a strategy for driving external priorities and influencing
sector-wide policies and regulations. Being able to show a
return on investment is key to the success of the external
engagement function. To make engagement successful,
infosec must define its desired engagement outcomes for
each stakeholder, and how those goals support the vision of
the broader organization and the infosec function.
By conducting rigorous stakeholder analysis to identify
barriers and mutual opportunities, infosec can then
prioritize which stakeholders it needs to spend the most
time influencing, partnering with, or educating. For example,
we worked with a leading utility company to perform a
detailed external stakeholder assessment. We reviewed over
30 stakeholders, ranging from government and regulatory
agencies to research institutes, based on defined assessment
criteria and scoring metrics. The results of the assessment
were used to define the overall engagement strategy,
enabling the infocsec team to lead and influence security
discussions and activities across the industry in the U.S.
5. Enable business integration and cross-functional collaboration
Risk and security management capabilities should be
distributed and embedded within the enterprise. Specifically,
infosec professionals should be dedicated to one or multiple
business units while being part of a central infosec team. This
creates a greater cross-functional integration and enables the
11 slalom.com
entire enterprise to be aligned on top security risks. Infosec
can then take an active role in strategic planning activities,
strengthening organizational alignment by understanding and
supporting the broader business roadmap and helping align it
to the company risk tolerance.
When infosec and the business are aligned, it benefits
both. Business units get dedicated security resources that
understand their strategic objectives and business needs, and
security can deepen its business integration, providing security
solutions that fulfil both risk management and business
strategies.
For example, assigning a security engineer to support web
development or security devices in distributed retail stores
helps that individual develop trusted relationships and
learn critical requirements at a detailed level. This level of
knowledge then enables him or her to provide more targeted
support and advocate for that group within infosec. It also
enables security requirements to be included in product design
meetings, sprint plans, or strategic roadmaps.
However, many organizations don’t have the capacity within
the security team to focus on several lines of business. When
this is the case, organizations can still create assignments for
security members to focus on specific parts of the business
and develop deeper specialties in those areas. They can also
look into supplementing security teams with volunteers—
security champions—from parts of the business who want to
maintain an open channel of communication with the infosec
12 slalom.com
team and start to spread best practices within their own
teams as their level of security knowledge grows.
Because different parts of the business move forward at
different speeds, distributing risk and security responsibility
across the organization—and equipping teams to feel that
they own their own risks—becomes crucial to meeting the
challenge of under-resourced security teams.
Success: How do you know if it’s working?
The ultimate goal of this new security operating model is to
achieve a greater level of integration between infosec and the
business. As organizations pursue this goal, they have to get
to a greater level of transparency and performance reporting
to prove that the new model is effectively managing risk.
Organizations starting out with traditionally siloed infosec
groups can begin with simple engagement metrics as infosec
seeks to partner better with the business. These metrics can
track the degree of proactive outreach from the business
to infosec for questions and consultation, and where in the
project (or product) lifecycle these forms of outreach occur.
Ultimately, effective metrics depend on data quality and
meaningful reduction in risk. But unfortunately, the most
compelling metrics around risk reduction often can’t
be tracked because the data is too difficult to collect.
Organizations can start with an exercise of identifying what
data is available, how reliable it is, and the level of effort
required to remediate data availability/quality issues.
13 slalom.com
This exercise is valuable for infosec to understand the overall
health of the data landscape they rely on to perform their
duties. It can also be used as a catalyst to drive accountability
from asset owners to increase overall data quality. As your
infosec team matures and adopts the new operating model,
it has to continually review and assess metrics to ensure their
relevance in decision-making and to track business outcomes,
such as risk mitigation and security awareness.
A win for security and the business
Too many industries are vulnerable to cyber attacks for
employees to not think about protecting company assets,
and too many businesses see their time-to-market delayed
by security reviews for infosec to avoid partnering with the
business.
Infosec teams should invest in better internal and external
partnerships—internally to ensure the longevity and success of
the company, and externally to glean important cybersecurity
information and influence the broader security landscape to
drive changes in regulations, policies, research, standards, and
frameworks development. The result: organizations that will
be able to reach their business goals faster and more securely
than ever before.
14 slalom.com
About the author
Adrienne Allen, who is no longer with Slalom, co-wrote this piece.
Raph Casadel is a solution principal within
Slalom’s business advisory services practice in San
Francisco. Raph has over eight years of international
management consulting experience translating
broad organizational vision into how business should
be structured and operate to meet their strategic
objectives. He’s passionate about building effective
organizational change through operating model
design and implementation.
slalom.com
© 2017 Slalom, LLC. All rights reserved.
Slalom is a purpose-driven consulting firm that helps
companies solve business problems and build for the
future, with solutions spanning business advisory, customer
experience, technology, and analytics. We partner with
companies to push the boundaries of what’s possible—
together. Founded in 2001 and headquartered in Seattle,
WA, Slalom has grown organically to over 5,000 employees.
We were named one of Fortune’s 100 Best Companies
to Work For in 2018 and are regularly recognized by our
employees as a best place to work. You can find us in 27
cities across the U.S., U.K., and Canada. Learn more at
slalom.com.
About Slalom
