Operating Models


What to consider when incorporating a successful Operating Model

July2022 - Michael Simkovic, Chief Executive Officer, CSO Group

Cyber security has become a top priority for organisations, impacting all areas of business activity, and for good reason, although quite often organisations are approaching this area with limited understanding of what it takes to address cyber security challenges effectively.

The importance of leading with a well structured operating model to sustain your cyber security strategy investment and efficacy is quite often overlooked. A true operating model is broader than just your security team and cyber services...

The approach to addressing these challenges will look different from one organisation to the next, but what is essential is that having a strong operating model in place enables organisations to address those challenges effectively. This can demand resources and skills that many organisations don’t have ready access to in house and with an ever-increasing dearth of talent and skilled resources, the challenge is constantly increasing. That said, it primarily requires an understanding of what needs to be considered to incorporate an operating model that will achieve success:

What is a security operating model, and why is it important?

A security operating model takes organisations away from the entry level approach of viewing cyber risks as a security and technology problem instead of a whole-of-business question. The security operating model lets the business start to look at security in a more strategic and inclusive way with a focus on risk and culture, instead of just tools and controls.

The security operating model should include:

  1. a plan for security based on the risks the business faces,
  2. measurement tools that illuminate the success or failure of security tactics,
  3. a governance model that informs all decision makers,
  4. a framework for the security controls that are in place,
  5. the ability to gain full visibility into and control over security measures,
  6. a set of tools to carry out security functions such as intrusion detection, or incident remediation.

Having a security operating model in place reduces siloed thinking around security. This can help eliminate gaps that often appear when security responsibilities sit with just one team or when no one is truly accountable for security.

Security operating models also help organisations comply with regulatory requirements, implement best practice security methodologies, and meet increasing customer and stakeholder demands around resilience and risk management.

How to develop a security operating model?

Across every organisation, the operating model for cyber security can look very different. Some organisations may view it as business charts and boxes on a diagram of interfaces, and others may view it as a series of roles and responsibilities.

However, for all organisations, cyber security is a whole-of-business problem and not just a technical problem, much like workplace health and safety. Although one person or department may have custodianship over reviewing security, businesses need an operating model that shares the responsibility across business areas, departments, staff, and third-party organisations.

For example, most organisations are likely to be using cloud services. This means the cyber security operating model needs to extend to the cloud provider and ensure that the provider’s accountability and responsibilities are clear, and the touchpoints are well-defined.

Determining a business’s cyber risks starts with understanding the business itself and its digital agenda, and then considering the risk appetite and requirements for each division and business area. All business areas will have some element of risk; however, these risks may be more apparent in particular divisions such as finance and invoicing.

Through technology capabilities, organisations should have many protection mechanisms already in place to mitigate cyber risks. However, the most effective defensive operating model requires two main areas of focus:

1.      Building a cohesive culture

Organisational culture plays a large part in the success of an operating model. Security is a whole-of-business approach and the culture within the business needs to reflect this acceptance. Part of the business culture is the ecosystem itself, which is constantly evolving, requiring new levels of awareness, energy, resources, and funding.

This means that the operating model needs to be adaptable to changes with a cyber risk aware culture that is facilitated across the organisation. The cyber adversaries that businesses face today will not be the same in 12 months, which is why consistent training is needed for stakeholders to remain accountable.

Organisations should, therefore, mandate that all employees undergo a minimum level of cyber security training and awareness. Conducting regular cyber security training that is tailored to lines of business or job functions can help keep security top of mind for everyone in the business. This can reduce the risk of phishing attacks, for example, which prey on unwary employees. When team members undergo regular training, they tend to be able to spot phishing attempts more successfully.

The training should be conducted frequently and in short bursts to maintain employee engagement and information retention. This will also help to reinforce the company’s overall security posture and risk tolerance so that employees understand what is acceptable and what isn’t in terms of their online behaviour. For example, some organisations prefer to tightly control the apps and platforms that employees use for work, while others have a higher risk appetite and are willing to give employees more freedom in that area.

2.      Defining roles and responsibilities

One of the biggest challenges can be an acceptance of responsibility and accountability. This is best performed using a RACI matrix that can be simply maintained and communicated effectively and continuously. Organisational leadership needs to be clear on what role everyone plays in the model. It’s also important to communicate the importance of these roles across the risk, technology, and business division stakeholders, as well as system integrators, vendors, and other third parties.

People aren’t always aware of how their behaviour could affect the organisation, regardless of their role or seniority in a company. For example, using (or reusing) weak or obvious passwords can make it easier for cyber criminals to steal credentials that can then be used to infiltrate the organisation’s environment. It’s essential to ensure that each individual understands the outsized impact their actions can have on the organisation’s security, both positive and negative. 

Often, it can help to write role descriptions to help divisions and stakeholders understand the part they play. However, a natural evolution for an organisation can sometimes start by putting boundaries around the term ‘operating model’. This can help to understand the business and technology interface, and all the stakeholders to bring on board, as well as the hand-offs and touchpoints. Then, the next step is to consider how to scale this, what resources will be needed to put in place to build it out, and what capability will need to be developed.

Where to from here?

Organisations that only view cyber risks as a security and technology problem will struggle more to protect themselves and mitigate threats. An effective security-focused operating model needs to consider who the stakeholders are and how they communicate, fostering the right engagement, obtaining appropriate funding, and looking to build a culture that strives to improve cyber resilience each day.

A true operating model is broader than just your security team and cyber services; it’s your business as a whole.


CSO Group provides organisations with effective cyber security services, risk management, and protection. To find out more about how we can help your organisation improve its cyber resilience through an effective operating model, contact the CSO team.