The Way Forward with Cyber Security Target Operating Models
“Process and People first, THEN Technology” will always be at the heart of the winning formula here
Many large organisations across all industries face the same challenges around cybersecurity and privacy: Growing regulatory demands, compounded by escalating cyber threats and skills shortages, and a business landscape dominated by the COVID pandemic and its aftermath.
Very often, their cyber security operating model has simply grown organically over the years and needs re-engineering or re-structuring:
- to bring it in line with evolving regulatory frameworks;
- to align it with industry best practices in terms of three lines of defence and risk management;
- and fundamentally, to give senior executives assurance that their business remains adequately protected from cyber threats across people, process and technology levels.
So what are the best ways to move forward with a cyber security operating model re-engineering programme?
First of all, it is key to accept that the main challenges in delivering a new operating model will be leadership challenges: Creating an effective cyber security practice often stems from driving cultural and governance changes across an organisation: It requires a coherent leadership vision, long-term action and relentless drive to succeed.
That’s why the approach to building the new operating model must be as interactive and iterative as possible: Engaging with all stakeholders and getting them onboard from the start is key, as going forward THEY will have to live the values of the TOM and make it happen in real life.
Also key will be to understand that a radical shake-up of approaches around cyber security (if that’s what’s required) cannot be driven simply bottom-up or horizontally across the business: It needs a top-down element to succeed, and in that respect, a clear endorsement from senior stakeholders is also essential, before the new operating model is taken to its actors for validation and implementation; quite often, the involvement of HR will also be required if organisational arrangements or job descriptions have to change (in some geographies or industries, employee representatives, trade unions or workers councils may also have to be informed or consulted).
Finally, all too often, we see those projects failing on excessive complexity and internal politics: Simplicity, clarity and transparency of objectives are always the best success factors in any new operating model implementation.
A cyber security TOM has to be seen as a high-level description of the operational PROCESSES which need to be in place across the cyber security team, the business and the support functions to ensure an adequate and regulatory-compliant protection of the organisation from cyber threats.
The TOM is implemented through an organisational model, which documents specific roles (through role descriptions) and accountabilities and responsibilities (through an overall RACI mapping) for all the PEOPLE involved in the delivery of the TOM.
Going forward, it is the new leadership structure defined as part of the new organisational model, which needs to take ownership of building up action plans to deliver on the actual alignment of their respective practices with the process content of the TOM (each depending on the specific level of maturity of their area); it is in that context that they should drive the selection of the relevant TECHNOLOGY products and service providers to help them with that.
There is no need for specific technical requirements to be an integral part of the TOM itself, which – should remain a governance framework.
Regulatory frameworks (such as NIS, PCI DSS, GDPR etc…) must inform the TOM, which in turn must contain the right process components to ensure that the relevant technical aspects coming from those regulations are embedded in technical policies, procedures and standards, and are properly implemented within critical systems.
A review of the content of technical policies, procedures and standards may be required as part of the implementation of the new TOM to ensure all regulatory requirements are captured, and the TOM should also ensure that a process is in place to review periodically the technical compliance of critical systems against all the regulatory frameworks they need to comply with, as well as internal policies.
“Process and People first, THEN Technology” will always be at the heart of the winning formula here: Technology to support a structured set of processes, that enable people to protect the business from cyber threats.