I recently had the opportunity to speak at a security conference where I presented the operating models that an organization can embrace when managing cyberthreats and the guiding principles associated with them. It was a great chance to share some of my experiences with the greater community and foster intellectual curiosity around an increasingly important topic.

A Shift in Approach

Maintaining a strong security posture is a dynamic challenge for any organization. It depends on many factors, which can vary over time; companies across the globe are migrating to the cloud to scale more quickly, adopting the latest technology trends to expand the digital footprint and embracing new methodologies such as DevOps to accelerate time to market and address customer expectations.

Yet companies’ operating models are bolted onto an old paradigm that is not delivering the expected value. Although there’s no one-size-fits-all approach to the question of how to best organize the next security operations model, it is often effective to start with a top-down approach involving executives to establish a common aspiration and enable the broader transformation.

The four principles identified below are distilled from the lessons learned during many security transformation journeys.

1. Define Your Goals Clearly

A cybersecurity transformation requires leaders to clearly articulate the goals and principles that are driving it. After aligning all involved parties on these goals, executives can prioritize the work to be done.

Large organizations will have many items on their agenda, so it’s vital for management to agree on what comes first according to the principles. Moreover, this clarity helps middle management become a sponsor as well, enabling deeper, better-managed initiatives that harness the full potential of all available resources.

2. Build a Strong Security Culture

A strong security culture is the foundation of an effective operating model. However, this kind of mindset requires more than just the occasional security awareness training. To ensure every single employee sees security as an intrinsic part of their responsibilities, it’s necessary to build and maintain a security culture up, down and across all levels of the organization.

Using language accessible to all parties, provide clarity around security operations. Promote it as an enabling presence that protects the business and its employees rather than as a barrier that imposes restrictions on business.

3. Create an Adaptive Organization

When the security operations team works on an island, with no connection to cross-functional business strategy, the results of their work have limited impact. Imagine the vulnerabilities created by a large IT project with no involvement or oversight from the security team.

Security should be integrated into all processes from the ground up rather than as an afterthought to the main objective. Although there’s no specific organizational model for adaptive security, creating interdepartmental teams that make integrated decisions to protect corporate information and assets is paramount. Companies achieve their goals more quickly and efficiently by joining forces rather than making fragmented, piecemeal efforts across the enterprise.

4. Partner to Strengthen Readiness and Resilience

It’s no longer possible to succeed alone. The role of many cybersecurity firms has evolved from a provider of technology to, in many cases, a key member of the executive team.

Many companies require a trusted partner to guide their security operations centers (SOC) through their security transformation journey and advise them in day-to-day security and threat operations. Sourcing best-in-class capabilities from partners not only allows an organization to grow with less capital, but also enables it to pursue innovation through collaboration.

Don’t Wait for Threats to Come to You

Boards and CEOs alike must reevaluate the security journey from end to end, as countless organizations in both the public and private sectors and across all industries have lost a lot due to security incidents. Transforming the old security operations model is crucial to unlocking cyber resilience capabilities that enable an organization to stay ahead in this ever-changing threat landscape.

Again, there’s no one set way to accomplish this transformation — multiple roads can lead to success. But making the right choices at the beginning of the journey is fundamental to achieving and sustaining business results.

It’s never too soon to start laying out a road map that fits your organization’s resources — people, processes, culture and technology — to set the stage for your next-generation security operations model.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today